Vulnerabilities > CVE-2008-2310 - USE of Externally-Controlled Format String vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
apple
CWE-134
nessus

Summary

Format string vulnerability in c++filt in Apple Mac OS X 10.5 before 10.5.4 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string in (1) C++ or (2) Java source code.

Vulnerable Configurations

Part Description Count
OS
Apple
110

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_4.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.4. Mac OS X 10.5.4 contains security fixes for multiple components.
    last seen2020-06-01
    modified2020-06-02
    plugin id33281
    published2008-07-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33281
    titleMac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if ( NASL_LEVEL < 3004 ) exit(0);
    
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33281);
      script_version("1.22");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2005-3164", "CVE-2007-1355", "CVE-2007-2449", "CVE-2007-2450", "CVE-2007-3382",
                    "CVE-2007-3383", "CVE-2007-3385", "CVE-2007-5333", "CVE-2007-5461", "CVE-2007-6276",
                    "CVE-2008-0960", "CVE-2008-1105", "CVE-2008-1145", "CVE-2008-2307", "CVE-2008-2308",
                    "CVE-2008-2309", "CVE-2008-2310", "CVE-2008-2311", "CVE-2008-2313", "CVE-2008-2314",
                    "CVE-2008-2662", "CVE-2008-2663", "CVE-2008-2664", "CVE-2008-2725", "CVE-2008-2726");
      script_bugtraq_id(15003, 24058, 24475, 24476, 24999, 25316, 26070, 26699, 27706,
                        28123, 29404, 29623, 29836, 30018);
      script_xref(name:"Secunia", value:"30802");
    
      script_name(english:"Mac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities");
      script_summary(english:"Check the version of Mac OS X");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues." );
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.5.x that is prior
    to 10.5.4. 
    
    Mac OS X 10.5.4 contains security fixes for multiple components.");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT2163" );
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Jun/msg00002.html" );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mac OS X 10.5.4 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(22, 59, 79, 119, 134, 189, 200, 264, 287, 362, 399);
    
      script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/01");
      script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/30");
      script_set_attribute(attribute:"patch_publication_date", value: "2008/06/30");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
      exit(0);
    }
    
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) os = get_kb_item("Host/OS");
    if (!os) exit(0);
    
    if (ereg(pattern:"Mac OS X 10\.5\.[0-3]([^0-9]|$)", string:os)) security_hole(0);
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-004.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-004 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id33282
    published2008-07-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33282
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if ( NASL_LEVEL < 3004 ) exit(0);
    
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33282);
      script_version("1.26");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2005-3164", "CVE-2007-1355", "CVE-2007-2449", "CVE-2007-2450", "CVE-2007-3382",
                    "CVE-2007-3383", "CVE-2007-3385", "CVE-2007-5333", "CVE-2007-5461", "CVE-2007-6276",
                    "CVE-2008-0960", "CVE-2008-1105", "CVE-2008-1145", "CVE-2008-2307", "CVE-2008-2308",
                    "CVE-2008-2309", "CVE-2008-2310", "CVE-2008-2311", "CVE-2008-2313", "CVE-2008-2314",
                    "CVE-2008-2662", "CVE-2008-2663", "CVE-2008-2664", "CVE-2008-2725", "CVE-2008-2726");
      script_bugtraq_id(15003, 24058, 24475, 24476, 24999, 25316, 26070, 26699, 27706, 28123, 29404, 29623, 29836, 30018);
      script_xref(name:"Secunia", value:"30802");
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2008-004)");
      script_summary(english:"Check for the presence of Security Update 2008-004");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues." );
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.4 that does not
    have the security update 2008-004 applied. 
    
    This update contains security fixes for a number of programs." );
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT2163" );
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Jun/msg00002.html" );
      script_set_attribute(attribute:"solution", value:
    "Install Security Update 2008-004 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(22, 59, 79, 119, 134, 189, 200, 264, 287, 362, 399);
    
      script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/01");
      script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/30");
      script_set_attribute(attribute:"patch_publication_date", value: "2008/06/30");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
      exit(0);
    }
    
    #
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(0);
    
    if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages");
      if (!packages) exit(0);
    
      if (!egrep(pattern:"^SecUpd(Srvr)?(2008-00[4-8]|2009-|20[1-9][0-9]-)", string:packages))
        security_hole(0);
    }
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30018 CVE(CAN) ID: CVE-2008-2308,CVE-2008-2309,CVE-2008-2310,CVE-2008-2314,CVE-2008-2311,CVE-2008-2313 Mac OS X是苹果家族机器所使用的操作系统。 Apple 2008-004安全更新修复了Mac OS X中的多个安全漏洞,本地或远程攻击者可能利用这些漏洞造成多种威胁。 CVE-2008-2308 在处理别名数据结构的AFP卷标加载信息时存在内存破坏漏洞,解析了包含有恶意卷标加载信息的别名会导致应用程序意外终止或执行任意指令。 CVE-2008-2309 这个更新向系统的内容类型列表添加了在某些环境下(如从网页下载时)标记为不安全的.xht和.xhtm文件。尽管不会自动加载这些内容类型,但手动打开的话可能导致执行恶意负载。 CVE-2008-2310 c++filt调试工具中存在格式串错误,向c++filt传送特制的字符串可能导致应用程序意外终止或执行任意指令。 CVE-2008-2314 如果将系统设置为需要口令才能唤醒休眠或屏保,且设置了Exposé热键,则物理访问的用户无需输入口令就可以访问系统。 CVE-2008-2311 当链接的目标在很窄的验证时间窗口发生变化时,符号链接的下载验证就会出现竞争条件。如果在Safari中启用了“打开安全文件”选项,访问恶意站点就会导致在用户系统中打开文件。 CVE-2008-2313 在创建新用户时本地用户可以用将会称为主目录一部分的文件添加User Template目录,导致以新用户的权限执行任意指令。 Apple Mac OS X 10.5.3 Apple Mac OS X 10.4.11 Apple MacOS X Server 10.5.3 Apple MacOS X Server 10.4.11 Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.apple.com target=_blank>http://www.apple.com</a>
idSSV:3514
last seen2017-11-19
modified2008-07-01
published2008-07-01
reporterRoot
titleApple Mac OS X 2008-004更新修复多个安全漏洞

Statements

contributorMark J Cox
lastmodified2008-07-04
organizationRed Hat
statementNot vulnerable. This issue does not affect the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 3 or 4. Although this bug is present in the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 5, the format string protection from FORTIFY_SOURCE makes this unexploitable.