Vulnerabilities > CVE-2009-2812 - Remote Code Execution vulnerability in Apple Mac OS X Launch Services

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
apple
nessus

Summary

Launch Services in Apple Mac OS X 10.5.8 does not properly recognize an unsafe Uniform Type Identifier (UTI) in an exported document type in a downloaded application, which allows remote attackers to trigger the automatic opening of a file, and execute arbitrary code, via a crafted web site.

Vulnerable Configurations

Part Description Count
OS
Apple
2

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_SECUPD2009-005.NASL
descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server
last seen2020-06-01
modified2020-06-02
plugin id40945
published2009-09-11
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/40945
titleMac OS X Multiple Vulnerabilities (Security Update 2009-005)
code
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);
if (NASL_LEVEL < 3004) exit(0);

include("compat.inc");


if (description)
{
  script_id(40945);
  script_version("1.21");
  script_cvs_date("Date: 2018/07/14  1:59:35");

  script_cve_id("CVE-2008-2079", "CVE-2008-5498", "CVE-2008-6680", "CVE-2009-0590", "CVE-2009-0591",
                "CVE-2009-0789", "CVE-2009-0949", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1271",
                "CVE-2009-1272", "CVE-2009-1371", "CVE-2009-1372", "CVE-2009-1862", "CVE-2009-1863",
                "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868",
                "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2468", "CVE-2009-2800", "CVE-2009-2803",
                "CVE-2009-2804", "CVE-2009-2805", "CVE-2009-2807", "CVE-2009-2809", "CVE-2009-2811",
                "CVE-2009-2812", "CVE-2009-2813", "CVE-2009-2814");
  script_bugtraq_id(
    29106,
    33002,
    34256,
    34357,
    35759,
    36350,
    36354,
    36355,
    36357,
    36358,
    36359,
    36360,
    36361,
    36363,
    36364
  );

  script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-005)");
  script_summary(english:"Check for the presence of Security Update 2009-005");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote host is missing a Mac OS X update that fixes various
security issues."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is running a version of Mac OS X 10.5 or 10.4 that
does not have Security Update 2009-005 applied.

This security update contains fixes for the following products :

  - Alias Manager
  - CarbonCore
  - ClamAV
  - ColorSync
  - CoreGraphics
  - CUPS
  - Flash Player plug-in
  - ImageIO
  - Launch Services
  - MySQL
  - PHP
  - SMB
  - Wiki Server"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT3865"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.securityfocus.com/advisories/17867"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install Security Update 2009-005 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(20, 59, 79, 94, 119, 189, 200, 264, 287, 399);
  script_set_attribute(attribute:"patch_publication_date", value:"2009/09/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages", "Host/uname");
  exit(0);
}

#

uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");

if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname))
{
  packages = get_kb_item("Host/MacOSX/packages");
  if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");

  if (egrep(pattern:"^SecUpd(Srvr)?(2009-00[5-9]|20[1-9][0-9]-)", string:packages))
    exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected.");
  else
    security_hole(0);
}
else if (egrep(pattern:"Darwin.* (9\.[0-8]\.)", string:uname))
{
  packages = get_kb_item("Host/MacOSX/packages/boms");
  if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");

  if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[5-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
    exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected.");
  else
    security_hole(0);
}
else exit(0, "The host is not affected.");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36354,36355,36357,36358,36359,36360,36361,36363,36364 CVE(CAN) ID: CVE-2009-2800,CVE-2009-2803,CVE-2009-2804,CVE-2009-2805,CVE-2009-2809,CVE-2009-2811,CVE-2009-2812,CVE-2009-2813,CVE-2009-2814 Mac OS X是苹果家族机器所使用的操作系统。 Apple 2009-005安全更新修复了Mac OS X中的多个安全漏洞,本地或远程攻击者可能利用这些漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2800 Alias Manager在处理别名文件时存在缓冲区溢出漏洞,打开了恶意的别名文件会导致应用程序意外终止或执行任意代码。 CVE-2009-2803 Resource Manager处理资源分支时存在内存破坏,打开带有恶意资源分支的文件会导致应用程序意外终止或执行任意代码。 CVE-2009-2804 在处理带有嵌入式ColorSync配置文件的图形时存在可导致堆溢出的整数溢出,打开恶意图形会导致应用程序意外终止或执行任意代码。 CVE-2009-2805 CoreGraphics处理PDF文件时存在可导致堆溢出的整数溢出,打开包含有恶意JBIG2流的PDF文件会导致应用程序意外终止或执行任意代码。 CVE-2009-2809 ImageIO处理PixarFilm编码的TIFF文件存在多个内存破坏漏洞,打开恶意的TIFF图形会导致应用程序意外终止或执行任意代码。 CVE-2009-2811 这个更新向系统在某些情况下(如从邮件下载时)会标记为不安全内容类型的类别中添加了.fileloc类型。尽管不会自动打开这种内容类型,如果手动打开可能会执行恶意负载。 CVE-2009-2812 在下载应用时Launch服务会分析所导出的文档类型。处理导出文档类型中的设计问题可能导致Launch服务将安全的文件扩展名关联到不安全的UTI。访问恶意的网站可能导致自动打开不安全的文件类型。 CVE-2009-2813 Samba中存在未检查的出错情况,没有配置主目录且连接到了Windows文件共享服务的用户可以访问仅限于本地文件系统权限的文件系统内容。 CVE-2009-2814 Wiki服务器处理包含有非UTF-8编码数据的搜索请求时存在跨站脚本漏洞,这可能允许远程攻击者以执行搜索用户的权限访问Wiki服务器。 Apple Mac OS X 10.5.x Apple Mac OS X 10.4.x Apple MacOS X Server 10.5.x Apple MacOS X Server 10.4.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/support/downloads/
idSSV:12320
last seen2017-11-19
modified2009-09-16
published2009-09-16
reporterRoot
titleApple Mac OS X 2009-005更新修复多个安全漏洞