Vulnerabilities > CVE-2008-3637 - Improper Initialization vulnerability in Apple mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Hash-based Message Authentication Code (HMAC) provider in Java on Apple Mac OS X 10.4.11, 10.5.4, and 10.5.5 uses an uninitialized variable, which allows remote attackers to execute arbitrary code via a crafted applet, related to an "error checking issue."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_JAVA_10_5_UPDATE2.NASL description The remote Mac OS X 10.5 host is running a version of Java for Mac OS X that is missing update 2. The remote version of this software contains several security vulnerabilities that may allow a rogue Java applet to execute arbitrary code on the remote host. To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet. last seen 2020-03-18 modified 2008-09-25 plugin id 34290 published 2008-09-25 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34290 title Mac OS X : Java for Mac OS X 10.5 Update 2 code #TRUSTED 260d6fc807ef38ed913cf628160f87535d590e2410b3584adc6d1ce0b8381bb0cf98f4afc92ab9057a03a59c8e07be556856c43a4b41773b7f4d94a567f289f998ec396984d2ac6b5c27f4e456c4d230ba17a3be7a57b730f7993244c9680636ed632118af835c921b4622280846a66965162dfdec583851a6771cd3f7dc479239973797920cface5f8ca76ae86c30c7155c0543e2cc0af3bdaefa5d3d3df57df95216de23f375079d3adea9c258d3c2ffc7e3391860fee202ab5729eead43d5de63c2c73f2cc6ce30b903dad1f8f903eabf631c7702d86501d2d5c4ad9b7bf810aefd5cf34242be3288df1723eb1046914cc56b768ffd9ebde101a5381a0b79a1f3ffcda397b88de8edd80b21dc1059e149a20c927f17e3e557dd1cee069f0e090fcfd05c068d52add2d3da1c5be78383e5c7e81f9b08342dd81728646021d04667aa8088c68826bea9e8e40c78d5c4cec644c8832fc7385878b79618f8d6b3cfb2e6f9a568033c66427f82d3986cbaaccc6ef6f6568d21de4f32970e7490a83ffc4e9d40fd12295f6f974ed2e66365f749f0f262433cd2f46bc2b0e884be3bd2b4bde073b38c6df7b1846f56c6e4e32ed7cfd5d02f0fc38910049deda5c80890fd508c95d668a988dcbe101727a41f0833b19eef6ec4e4c88f59722508d2d9f528c964a532b27beea954873118ae09b3b8630252d66cb83f8a1b31a44f3acb # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if (description) { script_id(34290); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id( "CVE-2008-1185", "CVE-2008-1186", "CVE-2008-1187", "CVE-2008-1188", "CVE-2008-1189", "CVE-2008-1190", "CVE-2008-1191", "CVE-2008-1192", "CVE-2008-1193", "CVE-2008-1194", "CVE-2008-1195", "CVE-2008-1196", "CVE-2008-3103", "CVE-2008-3104", "CVE-2008-3105", "CVE-2008-3106", "CVE-2008-3107", "CVE-2008-3108", "CVE-2008-3109", "CVE-2008-3110", "CVE-2008-3111", "CVE-2008-3112", "CVE-2008-3113", "CVE-2008-3114", "CVE-2008-3115", "CVE-2008-3637", "CVE-2008-3638" ); script_bugtraq_id(28125, 30144, 30146, 31379, 31380); script_name(english:"Mac OS X : Java for Mac OS X 10.5 Update 2"); script_summary(english:"Check for Java Update 2 on Mac OS X 10.5"); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Mac OS X 10.5 host is running a version of Java for Mac OS X that is missing update 2. The remote version of this software contains several security vulnerabilities that may allow a rogue Java applet to execute arbitrary code on the remote host. To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet."); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3179"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Sep/msg00007.html"); script_set_attribute(attribute:"solution", value:"Upgrade to Java for Mac OS X 10.5 update 2"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(264); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); function exec(cmd) { local_var ret, buf; if ( islocalhost() ) buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd)); else { ret = ssh_open_connection(); if ( ! ret ) exit(0); buf = ssh_cmd(cmd:cmd); ssh_close_connection(); } if ( buf !~ "^[0-9]" ) exit(0); buf = chomp(buf); return buf; } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # Mac OS X 10.5 only if ( egrep(pattern:"Darwin.* 9\.", string:uname) ) { cmd = _GetBundleVersionCmd(file:"JavaPluginCocoa.bundle", path:"/Library/Internet Plug-Ins", label:"CFBundleVersion"); buf = exec(cmd:cmd); if ( ! strlen(buf) ) exit(0); array = split(buf, sep:'.', keep:FALSE); # Fixed in version 12.2.0 if ( int(array[0]) < 12 || (int(array[0]) == 12 && int(array[1]) < 2 ) ) { security_hole(0); } }NASL family MacOS X Local Security Checks NASL id MACOSX_JAVA_REL7.NASL description The remote Mac OS X 10.4 host is running a version of Java for Mac OS X that is older than release 7. The remote version of this software contains several security vulnerabilities which may allow a rogue java applet to execute arbitrary code on the remote host. To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet. last seen 2020-03-18 modified 2008-09-25 plugin id 34291 published 2008-09-25 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34291 title Mac OS X : Java for Mac OS X 10.4 Release 7 code #TRUSTED 6001b4ff7b1dd59b074167eff0988cf739fa804ca9db310deab2eafc23a1bde034eecc861a2e25b5f0047c8e71fcd7ff67d5aa755963607af127a47b9936cb4d74b019c7cf9d741030934bd981448a46bb6fa6d73ddfcd4b569c550d0abab292229872b9a07f2481ea9cc960ea233d10a89a1a29312df558a08b17c137580845e2bb47ba5e2284e4458b61555a7ac8583d6df18af174bb0558cf375ed64d7fe2089418826600efb52618d94ac819769a06042005fc53ed227e38d23358bd7542de740e8d69102385d059517d4bad9c78b6aac4a72b83ce48bb5957ff52eb1219f19ad91466063526d81bee1548a970d20513ae5fa99274d5967c9ca800782b9b1098dcfd958687dfe7c8595ba0366d7c98bebac4588130d307ba54d93c4bef381d963c45a4bbcd5c2c8b35844575e81fff945559a1126f6071fe9ef236b1bc4c9a3d3bd41fd0350053e6d24b7f52ae9e0b984d224b01aea2aad04cd26b04026a378178defc4db76b7130169031ebed0cbbb802445aee35c841fd259192b1566b3ca95355caa0a43b5ecaaf3901d3ac0c8c40dce3c3f64985fdeb54fd0fe3db4e7026beea279edaea63b1eca8b6af664b29710f5e29414bdcf0e30e7ee8df1498ffe744e41fb97004486d8406b802a7f476941bc57a9618e2e1d247c885adb62a1b9fd211015434c95a6983bd87c1e6e6909d6405454277cdb1834b2cade289b5 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(34291); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id( "CVE-2008-1185", "CVE-2008-1186", "CVE-2008-1187", "CVE-2008-1188", "CVE-2008-1189", "CVE-2008-1190", "CVE-2008-1191", "CVE-2008-1192", "CVE-2008-1193", "CVE-2008-1194", "CVE-2008-1195", "CVE-2008-1196", "CVE-2008-3103", "CVE-2008-3104", "CVE-2008-3105", "CVE-2008-3106", "CVE-2008-3107", "CVE-2008-3108", "CVE-2008-3109", "CVE-2008-3110", "CVE-2008-3111", "CVE-2008-3112", "CVE-2008-3113", "CVE-2008-3114", "CVE-2008-3115", "CVE-2008-3637", "CVE-2008-3638" ); script_bugtraq_id(28125, 30144, 30146, 31379, 31380); script_name(english:"Mac OS X : Java for Mac OS X 10.4 Release 7"); script_summary(english:"Check for Java Release 7 on Mac OS X 10.4"); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Mac OS X 10.4 host is running a version of Java for Mac OS X that is older than release 7. The remote version of this software contains several security vulnerabilities which may allow a rogue java applet to execute arbitrary code on the remote host. To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet."); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3178"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Sep/msg00008.html"); script_set_attribute(attribute:"solution", value:"Upgrade to Java for Mac OS X 10.4 release 7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(264); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); function exec(cmd) { local_var ret, buf; if ( islocalhost() ) buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd)); else { ret = ssh_open_connection(); if ( ! ret ) exit(0); buf = ssh_cmd(cmd:cmd); ssh_close_connection(); } if ( buf !~ "^[0-9]" ) exit(0); buf = chomp(buf); return buf; } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # Mac OS X 10.4.11 only if ( egrep(pattern:"Darwin.* 8\.11\.", string:uname) ) { cmd = _GetBundleVersionCmd(file:"JavaPluginCocoa.bundle", path:"/Library/Internet Plug-Ins", label:"CFBundleVersion"); buf = exec(cmd:cmd); if ( ! strlen(buf) ) exit(0); array = split(buf, sep:'.', keep:FALSE); # Fixed in version 11.8.0 if ( int(array[0]) < 11 || (int(array[0]) == 11 && int(array[1]) < 8 ) ) { security_hole(0); } }
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 31379 CVE ID:CVE-2008-3637 CNCVE ID:CNCVE-20083637 Apple Mac OS X是一款商业性质的操作系统。 Apple Mac OS X Java Applet HMAC供给器使用未初始化变量,远程攻击者可以利用漏洞以应用程序上下文执行任意代码。 基于HASH的消息验证代码(HMAC)供给器用于生成MD5和SHA-A HASH,其中存在一个错误检查可导致使用未初始化变量。构建恶意的Java applet,诱使用户访问,可导致任意代码执行。 Apple Mac OS X Server 10.5.5 Apple Mac OS X Server 10.5.4 Apple Mac OS X Server 10.5.3 Apple Mac OS X Server 10.5.2 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.5 Apple Mac OS X 10.5.5 Apple Mac OS X 10.5.4 Apple Mac OS X 10.5.3 Apple Mac OS X 10.5.2 Apple Mac OS X 10.5.1 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.5 可参考如下补丁程序: Apple Mac OS X Server 10.4.11 Apple JavaForMacOSX10.4Release7.dmg Java for Mac OS X 10.4, Release 7 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21278&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21278&cat=</a> 59&platform=osx&method=sa/JavaForMacOSX10.4Release7.dmg Apple Mac OS X 10.4.11 Apple JavaForMacOSX10.4Release7.dmg Java for Mac OS X 10.4, Release 7 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21278&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21278&cat=</a> 59&platform=osx&method=sa/JavaForMacOSX10.4Release7.dmg Apple Mac OS X 10.5.4 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat=</a> 59&platform=osx&method=sa/JavaForMacOSX10.5Update2.dmg Apple Mac OS X Server 10.5.4 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat=</a> 59&platform=osx&method=sa/JavaForMacOSX10.5Update2.dmg Apple Mac OS X Server 10.5.5 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat=</a> 59&platform=osx&method=sa/JavaForMacOSX10.5Update2.dmg Apple Mac OS X 10.5.5 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&cat=</a> 59&platform=osx&method=sa/JavaForMacOSX10.5Update2.dmg |
| id | SSV:4122 |
| last seen | 2017-11-19 |
| modified | 2008-09-27 |
| published | 2008-09-27 |
| reporter | Root |
| title | Apple Mac OS X Java Applet HMAC供给器处理远程代码执行漏洞 |
References
- http://support.apple.com/kb/HT3179
- http://lists.apple.com/archives/security-announce//2008/Sep/msg00007.html
- http://www.securityfocus.com/bid/31379
- http://support.apple.com/kb/HT3178
- http://secunia.com/advisories/32018
- http://lists.apple.com/archives/security-announce//2008/Sep/msg00008.html
- http://www.securitytracker.com/id?1020943
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45396