Vulnerabilities > CVE-2009-2804 - Numeric Errors vulnerability in Apple mac OS X, mac OS X Server and Safari
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer overflow in ColorSync in Apple Mac OS X 10.4.11 and 10.5.8, and Safari before 4.0.4 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ColorSync profile embedded in an image, leading to a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id SAFARI_4_0_4.NASL description The version of Safari installed on the remote Windows host is earlier than 4.0.4. Such versions are potentially affected by several issues : - An integer overflow in the handling of images with an embedded color profile could lead to a crash or arbitrary code execution. (CVE-2009-2804) - Multiple use-after-free issues exist in libxml2, the most serious of which could lead to a program crash. (CVE-2009-2414, CVE-2009-2416) - An issue in the handling of navigations initiated via the last seen 2020-06-01 modified 2020-06-02 plugin id 42478 published 2009-11-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42478 title Safari < 4.0.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42478); script_version("1.16"); script_cve_id( "CVE-2009-2804", "CVE-2009-2414", "CVE-2009-2416", "CVE-2009-2816", "CVE-2009-2842", "CVE-2009-3384" ); script_bugtraq_id(36357, 36994, 36995, 36997); script_name(english:"Safari < 4.0.4 Multiple Vulnerabilities"); script_summary(english:"Checks Safari's version number"); script_set_attribute( attribute:"synopsis", value: "The remote host contains a web browser that is affected by several vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of Safari installed on the remote Windows host is earlier than 4.0.4. Such versions are potentially affected by several issues : - An integer overflow in the handling of images with an embedded color profile could lead to a crash or arbitrary code execution. (CVE-2009-2804) - Multiple use-after-free issues exist in libxml2, the most serious of which could lead to a program crash. (CVE-2009-2414, CVE-2009-2416) - An issue in the handling of navigations initiated via the 'Open Image in New Tab', 'Open Image in New Window' or 'Open Link in New Tab' shortcut menu options could be exploited to load a local HTML file, leading to disclosure of sensitive information. (CVE-2009-2842) - An issue involving WebKit's inclusion of custom HTTP headers specified by a requesting page in preflight requests in support of Cross-Origin Resource Sharing can facilitate cross-site request forgery attacks. (CVE-2009-2816) - Multiple issues in WebKit's handling of FTP directory listings may lead to information disclosure, unexpected application termination, or execution of arbitrary code. (CVE-2009-3384)" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3949" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html" ); script_set_attribute( attribute:"see_also", value:"http://www.securityfocus.com/advisories/18277" ); script_set_attribute( attribute:"solution", value:"Upgrade to Safari 4.0.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 189, 352, 399); script_set_attribute( attribute:"vuln_publication_date", value:"2009/11/11" ); script_set_attribute( attribute:"patch_publication_date", value:"2009/11/11" ); script_set_attribute( attribute:"plugin_publication_date", value:"2009/11/12" ); script_cvs_date("Date: 2018/07/27 18:38:15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("safari_installed.nasl"); script_require_keys("SMB/Safari/FileVersion"); exit(0); } include("global_settings.inc"); path = get_kb_item("SMB/Safari/Path"); version = get_kb_item("SMB/Safari/FileVersion"); if (isnull(version)) exit(0); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if ( ver[0] < 5 || ( ver[0] == 5 && ( ver[1] < 31 || ( ver[1] == 31 && ( ver[2] < 21 || (ver[2] == 21 && ver[3] < 10) ) ) ) ) ) { if (report_verbosity > 0) { if (isnull(path)) path = "n/a"; prod_version = get_kb_item("SMB/Safari/ProductVersion"); if (!isnull(prod_version)) version = prod_version; report = string( "\n", "Nessus collected the following information about the current install\n", "of Safari on the remote host :\n", "\n", " Version : ", version, "\n", " Path : ", path, "\n" ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); }NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-005.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server last seen 2020-06-01 modified 2020-06-02 plugin id 40945 published 2009-09-11 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40945 title Mac OS X Multiple Vulnerabilities (Security Update 2009-005) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(40945); script_version("1.21"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2008-2079", "CVE-2008-5498", "CVE-2008-6680", "CVE-2009-0590", "CVE-2009-0591", "CVE-2009-0789", "CVE-2009-0949", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1271", "CVE-2009-1272", "CVE-2009-1371", "CVE-2009-1372", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2468", "CVE-2009-2800", "CVE-2009-2803", "CVE-2009-2804", "CVE-2009-2805", "CVE-2009-2807", "CVE-2009-2809", "CVE-2009-2811", "CVE-2009-2812", "CVE-2009-2813", "CVE-2009-2814"); script_bugtraq_id( 29106, 33002, 34256, 34357, 35759, 36350, 36354, 36355, 36357, 36358, 36359, 36360, 36361, 36363, 36364 ); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-005)"); script_summary(english:"Check for the presence of Security Update 2009-005"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3865" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html" ); script_set_attribute( attribute:"see_also", value:"http://www.securityfocus.com/advisories/17867" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2009-005 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 59, 79, 94, 119, 189, 200, 264, 287, 399); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } # uname = get_kb_item("Host/uname"); if (!uname) exit(1, "The 'Host/uname' KB item is missing."); if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing."); if (egrep(pattern:"^SecUpd(Srvr)?(2009-00[5-9]|20[1-9][0-9]-)", string:packages)) exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected."); else security_hole(0); } else if (egrep(pattern:"Darwin.* (9\.[0-8]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing."); if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[5-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages)) exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected."); else security_hole(0); } else exit(0, "The host is not affected.");
Seebug
bulletinFamily exploit description BUGTRAQ ID: 36354,36355,36357,36358,36359,36360,36361,36363,36364 CVE(CAN) ID: CVE-2009-2800,CVE-2009-2803,CVE-2009-2804,CVE-2009-2805,CVE-2009-2809,CVE-2009-2811,CVE-2009-2812,CVE-2009-2813,CVE-2009-2814 Mac OS X是苹果家族机器所使用的操作系统。 Apple 2009-005安全更新修复了Mac OS X中的多个安全漏洞,本地或远程攻击者可能利用这些漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2800 Alias Manager在处理别名文件时存在缓冲区溢出漏洞,打开了恶意的别名文件会导致应用程序意外终止或执行任意代码。 CVE-2009-2803 Resource Manager处理资源分支时存在内存破坏,打开带有恶意资源分支的文件会导致应用程序意外终止或执行任意代码。 CVE-2009-2804 在处理带有嵌入式ColorSync配置文件的图形时存在可导致堆溢出的整数溢出,打开恶意图形会导致应用程序意外终止或执行任意代码。 CVE-2009-2805 CoreGraphics处理PDF文件时存在可导致堆溢出的整数溢出,打开包含有恶意JBIG2流的PDF文件会导致应用程序意外终止或执行任意代码。 CVE-2009-2809 ImageIO处理PixarFilm编码的TIFF文件存在多个内存破坏漏洞,打开恶意的TIFF图形会导致应用程序意外终止或执行任意代码。 CVE-2009-2811 这个更新向系统在某些情况下(如从邮件下载时)会标记为不安全内容类型的类别中添加了.fileloc类型。尽管不会自动打开这种内容类型,如果手动打开可能会执行恶意负载。 CVE-2009-2812 在下载应用时Launch服务会分析所导出的文档类型。处理导出文档类型中的设计问题可能导致Launch服务将安全的文件扩展名关联到不安全的UTI。访问恶意的网站可能导致自动打开不安全的文件类型。 CVE-2009-2813 Samba中存在未检查的出错情况,没有配置主目录且连接到了Windows文件共享服务的用户可以访问仅限于本地文件系统权限的文件系统内容。 CVE-2009-2814 Wiki服务器处理包含有非UTF-8编码数据的搜索请求时存在跨站脚本漏洞,这可能允许远程攻击者以执行搜索用户的权限访问Wiki服务器。 Apple Mac OS X 10.5.x Apple Mac OS X 10.4.x Apple MacOS X Server 10.5.x Apple MacOS X Server 10.4.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/support/downloads/ id SSV:12320 last seen 2017-11-19 modified 2009-09-16 published 2009-09-16 reporter Root title Apple Mac OS X 2009-005更新修复多个安全漏洞 bulletinFamily exploit description BUGTRAQ ID: 36357,36010,36994,36995,36997,36996 CVE ID: CVE-2009-2804,CVE-2009-2414,CVE-2009-2416,CVE-2009-2842,CVE-2009-2816,CVE-2009-3384,CVE-2009-2841 Safari是苹果家族机器操作系统中默认捆绑的WEB浏览器。 远程攻击者可以利用Safari浏览器中的多个错误导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2804 处理包含有嵌入式颜色配置文件的图形时存在可导致堆溢出的整数溢出,用户受骗打开恶意图形就可能导致浏览器崩溃或执行任意代码。 CVE-2009-2414,CVE-2009-2416 libxml2库中的多个释放后使用漏洞可能导致浏览器意外终止。 CVE-2009-2842 Safari处理通过“在新标签页中打开图形”、“在新窗口中打开图形”或“在新标签页中打开链接”快捷菜单选项所初始化的导航时存在漏洞,对恶意网站使用这些选项可能加载本地HTM文件,导致泄漏敏感信息。 CVE-2009-2816 WebKit实现跨源资源共享的方式存在漏洞。在允许一个源的页面访问另一个源中资源之前,WebKit向后者服务器发送了preflight请求。由于WebKit包含有preflight所请求页面指定的自定义HTTP头,这有利于跨站请求伪造攻击。 CVE-2009-3384 WebKit处理FTP列出目录方式存在多个漏洞,访问恶意的FTP服务器可能导致信息泄露、浏览器意外终止或执行任意代码。 CVE-2009-2841 WebKit遇到指向外部资源的HTML 5媒体元素时没有发布资源加载回调来判断是否应加装资源,这可能导致对远程服务器的非预期请求。例如,HTML格式邮件的发件人可以判断消息是否已读。 Apple Safari 4.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/safari/download/ id SSV:12627 last seen 2017-11-19 modified 2009-11-13 published 2009-11-13 reporter Root title Safari 4.0.4版本修复多个安全漏洞
References
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
- http://osvdb.org/57949
- http://secunia.com/advisories/36701
- http://secunia.com/advisories/37346
- http://support.apple.com/kb/HT3865
- http://support.apple.com/kb/HT3949
- http://www.securityfocus.com/bid/36357
- http://www.vupen.com/english/advisories/2009/3217
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53166