Vulnerabilities > CVE-2008-3638 - Code Injection vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apple
CWE-94
nessus
NVD
Published: 2008-09-26
Updated: 2024-11-21

Summary

Java on Apple Mac OS X 10.5.4 and 10.5.5 does not prevent applets from accessing file:// URLs, which allows remote attackers to execute arbitrary programs.

Vulnerable Configurations

Part Description Count
OS
Apple
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_JAVA_10_5_UPDATE2.NASL
    descriptionThe remote Mac OS X 10.5 host is running a version of Java for Mac OS X that is missing update 2. The remote version of this software contains several security vulnerabilities that may allow a rogue Java applet to execute arbitrary code on the remote host. To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet.
    last seen2020-03-18
    modified2008-09-25
    plugin id34290
    published2008-09-25
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34290
    titleMac OS X : Java for Mac OS X 10.5 Update 2
    code
    #TRUSTED 260d6fc807ef38ed913cf628160f87535d590e2410b3584adc6d1ce0b8381bb0cf98f4afc92ab9057a03a59c8e07be556856c43a4b41773b7f4d94a567f289f998ec396984d2ac6b5c27f4e456c4d230ba17a3be7a57b730f7993244c9680636ed632118af835c921b4622280846a66965162dfdec583851a6771cd3f7dc479239973797920cface5f8ca76ae86c30c7155c0543e2cc0af3bdaefa5d3d3df57df95216de23f375079d3adea9c258d3c2ffc7e3391860fee202ab5729eead43d5de63c2c73f2cc6ce30b903dad1f8f903eabf631c7702d86501d2d5c4ad9b7bf810aefd5cf34242be3288df1723eb1046914cc56b768ffd9ebde101a5381a0b79a1f3ffcda397b88de8edd80b21dc1059e149a20c927f17e3e557dd1cee069f0e090fcfd05c068d52add2d3da1c5be78383e5c7e81f9b08342dd81728646021d04667aa8088c68826bea9e8e40c78d5c4cec644c8832fc7385878b79618f8d6b3cfb2e6f9a568033c66427f82d3986cbaaccc6ef6f6568d21de4f32970e7490a83ffc4e9d40fd12295f6f974ed2e66365f749f0f262433cd2f46bc2b0e884be3bd2b4bde073b38c6df7b1846f56c6e4e32ed7cfd5d02f0fc38910049deda5c80890fd508c95d668a988dcbe101727a41f0833b19eef6ec4e4c88f59722508d2d9f528c964a532b27beea954873118ae09b3b8630252d66cb83f8a1b31a44f3acb
#
# (C) Tenable Network Security, Inc.
#

if ( ! defined_func("bn_random") ) exit(0);


include("compat.inc");

if (description)
{
 script_id(34290);
 script_version("1.16");
 script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");

 script_cve_id(
  "CVE-2008-1185",
  "CVE-2008-1186",
  "CVE-2008-1187",
  "CVE-2008-1188",
  "CVE-2008-1189",
  "CVE-2008-1190",
  "CVE-2008-1191",
  "CVE-2008-1192",
  "CVE-2008-1193",
  "CVE-2008-1194",
  "CVE-2008-1195",
  "CVE-2008-1196",
  "CVE-2008-3103",
  "CVE-2008-3104",
  "CVE-2008-3105",
  "CVE-2008-3106",
  "CVE-2008-3107",
  "CVE-2008-3108",
  "CVE-2008-3109",
  "CVE-2008-3110",
  "CVE-2008-3111",
  "CVE-2008-3112",
  "CVE-2008-3113",
  "CVE-2008-3114",
  "CVE-2008-3115",
  "CVE-2008-3637",
  "CVE-2008-3638"
 );
 script_bugtraq_id(28125, 30144, 30146, 31379, 31380);

 script_name(english:"Mac OS X : Java for Mac OS X 10.5 Update 2");
 script_summary(english:"Check for Java Update 2 on Mac OS X 10.5");

 script_set_attribute(attribute:"synopsis", value:"The remote host is affected by multiple vulnerabilities.");
 script_set_attribute(attribute:"description", value:
"The remote Mac OS X 10.5 host is running a version of Java for Mac OS X
that is missing update 2.

The remote version of this software contains several security
vulnerabilities that may allow a rogue Java applet to execute arbitrary
code on the remote host.

To exploit these flaws, an attacker would need to lure an attacker into
executing a rogue Java applet.");
 script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3179");
 script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Sep/msg00007.html");
 script_set_attribute(attribute:"solution", value:"Upgrade to Java for Mac OS X 10.5 update 2");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
 script_cwe_id(264);

 script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/25");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

function exec(cmd)
{
 local_var ret, buf;

 if ( islocalhost() )
  buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
 else
 {
  ret = ssh_open_connection();
  if ( ! ret ) exit(0);
  buf = ssh_cmd(cmd:cmd);
  ssh_close_connection();
 }

 if ( buf !~ "^[0-9]" ) exit(0);

 buf = chomp(buf);
 return buf;
}


packages = get_kb_item("Host/MacOSX/packages");
if ( ! packages ) exit(0);

uname = get_kb_item("Host/uname");
# Mac OS X 10.5 only
if ( egrep(pattern:"Darwin.* 9\.", string:uname) )
{
 cmd = _GetBundleVersionCmd(file:"JavaPluginCocoa.bundle", path:"/Library/Internet Plug-Ins", label:"CFBundleVersion");
 buf = exec(cmd:cmd);
 if ( ! strlen(buf) ) exit(0);
 array = split(buf, sep:'.', keep:FALSE);
 # Fixed in version 12.2.0
 if ( int(array[0]) < 12 ||
     (int(array[0]) == 12 && int(array[1]) < 2 ) )
 {
   security_hole(0);
 }
}
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_JAVA_REL7.NASL
    descriptionThe remote Mac OS X 10.4 host is running a version of Java for Mac OS X that is older than release 7. The remote version of this software contains several security vulnerabilities which may allow a rogue java applet to execute arbitrary code on the remote host. To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet.
    last seen2020-03-18
    modified2008-09-25
    plugin id34291
    published2008-09-25
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34291
    titleMac OS X : Java for Mac OS X 10.4 Release 7
    code
    #TRUSTED 6001b4ff7b1dd59b074167eff0988cf739fa804ca9db310deab2eafc23a1bde034eecc861a2e25b5f0047c8e71fcd7ff67d5aa755963607af127a47b9936cb4d74b019c7cf9d741030934bd981448a46bb6fa6d73ddfcd4b569c550d0abab292229872b9a07f2481ea9cc960ea233d10a89a1a29312df558a08b17c137580845e2bb47ba5e2284e4458b61555a7ac8583d6df18af174bb0558cf375ed64d7fe2089418826600efb52618d94ac819769a06042005fc53ed227e38d23358bd7542de740e8d69102385d059517d4bad9c78b6aac4a72b83ce48bb5957ff52eb1219f19ad91466063526d81bee1548a970d20513ae5fa99274d5967c9ca800782b9b1098dcfd958687dfe7c8595ba0366d7c98bebac4588130d307ba54d93c4bef381d963c45a4bbcd5c2c8b35844575e81fff945559a1126f6071fe9ef236b1bc4c9a3d3bd41fd0350053e6d24b7f52ae9e0b984d224b01aea2aad04cd26b04026a378178defc4db76b7130169031ebed0cbbb802445aee35c841fd259192b1566b3ca95355caa0a43b5ecaaf3901d3ac0c8c40dce3c3f64985fdeb54fd0fe3db4e7026beea279edaea63b1eca8b6af664b29710f5e29414bdcf0e30e7ee8df1498ffe744e41fb97004486d8406b802a7f476941bc57a9618e2e1d247c885adb62a1b9fd211015434c95a6983bd87c1e6e6909d6405454277cdb1834b2cade289b5
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(34291);
 script_version("1.16");
 script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");

 script_cve_id(
  "CVE-2008-1185",
  "CVE-2008-1186",
  "CVE-2008-1187",
  "CVE-2008-1188",
  "CVE-2008-1189",
  "CVE-2008-1190",
  "CVE-2008-1191",
  "CVE-2008-1192",
  "CVE-2008-1193",
  "CVE-2008-1194",
  "CVE-2008-1195",
  "CVE-2008-1196",
  "CVE-2008-3103",
  "CVE-2008-3104",
  "CVE-2008-3105",
  "CVE-2008-3106",
  "CVE-2008-3107",
  "CVE-2008-3108",
  "CVE-2008-3109",
  "CVE-2008-3110",
  "CVE-2008-3111",
  "CVE-2008-3112",
  "CVE-2008-3113",
  "CVE-2008-3114",
  "CVE-2008-3115",
  "CVE-2008-3637",
  "CVE-2008-3638"
 );
 script_bugtraq_id(28125, 30144, 30146, 31379, 31380);

 script_name(english:"Mac OS X : Java for Mac OS X 10.4 Release 7");
 script_summary(english:"Check for Java Release 7 on Mac OS X 10.4");

 script_set_attribute(attribute:"synopsis", value:"The remote host is affected by multiple vulnerabilities.");
 script_set_attribute(attribute:"description", value:
"The remote Mac OS X 10.4 host is running a version of Java for Mac OS X
that is older than release 7.

The remote version of this software contains several security
vulnerabilities which may allow a rogue java applet to execute arbitrary
code on the remote host.

To exploit these flaws, an attacker would need to lure an attacker into
executing a rogue Java applet.");
 script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3178");
 script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Sep/msg00008.html");
 script_set_attribute(attribute:"solution", value:"Upgrade to Java for Mac OS X 10.4 release 7 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
 script_cwe_id(264);

 script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/25");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

function exec(cmd)
{
 local_var ret, buf;

 if ( islocalhost() )
  buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
 else
 {
  ret = ssh_open_connection();
  if ( ! ret ) exit(0);
  buf = ssh_cmd(cmd:cmd);
  ssh_close_connection();
 }

 if ( buf !~ "^[0-9]" ) exit(0);

 buf = chomp(buf);
 return buf;
}


packages = get_kb_item("Host/MacOSX/packages");
if ( ! packages ) exit(0);

uname = get_kb_item("Host/uname");
# Mac OS X 10.4.11 only
if ( egrep(pattern:"Darwin.* 8\.11\.", string:uname) )
{
 cmd = _GetBundleVersionCmd(file:"JavaPluginCocoa.bundle", path:"/Library/Internet Plug-Ins", label:"CFBundleVersion");
 buf = exec(cmd:cmd);
 if ( ! strlen(buf) ) exit(0);
 array = split(buf, sep:'.', keep:FALSE);
 # Fixed in version 11.8.0
 if ( int(array[0]) < 11 ||
     (int(array[0]) == 11 && int(array[1]) < 8 ) )
 {
   security_hole(0);
 }
}

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 31380 CVE ID:CVE-2008-3638 CNCVE ID:CNCVE-20083638 Apple Mac OS X是一款商业性质的操作系统。 Apple Mac OS X不正确处理特殊构建的Java Applet,远程攻击者可以利用漏洞以应用程序上下文执行任意可执行程序。 Java插件没有阻止从file:// URL方式启动,构建恶意的Java Applet,诱使用户装载,可导致'file://' URL装载目标系统上的任意文件,导致任意代码执行。 Apple Mac OS X Server 10.5.5 Apple Mac OS X Server 10.5.4 Apple Mac OS X Server 10.5.3 Apple Mac OS X Server 10.5.2 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.5 Apple Mac OS X 10.5.5 Apple Mac OS X 10.5.4 Apple Mac OS X 10.5.3 Apple Mac OS X 10.5.2 Apple Mac OS X 10.5.1 Apple Mac OS X 10.5 可参考如下补丁程序: Apple Mac OS X 10.5.4 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat=</a> 59&amp;platform=osx&amp;method=sa/JavaForMacOSX10.5Update2.dmg Apple Mac OS X Server 10.5.4 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat=</a> 59&amp;platform=osx&amp;method=sa/JavaForMacOSX10.5Update2.dmg Apple Mac OS X 10.5.5 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat=</a> 59&amp;platform=osx&amp;method=sa/JavaForMacOSX10.5Update2.dmg Apple Mac OS X Server 10.5.5 Apple JavaForMacOSX10.5Update2.dmg Java for Mac OS X 10.5 Update 2 <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=21277&amp;cat=</a> 59&amp;platform=osx&amp;method=sa/JavaForMacOSX10.5Update2.dmg
idSSV:4121
last seen2017-11-19
modified2008-09-27
published2008-09-27
reporterRoot
titleApple Mac OS X Java插件'file://' URL处理远程代码执行漏洞

References