Vulnerabilities > CVE-2009-2829 - Credentials Management vulnerability in Apple mac OS X Server 10.5.8

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
apple
CWE-255
nessus
NVD
Published: 2009-11-10
Updated: 2009-11-17

Summary

Event Monitor in Apple Mac OS X 10.5.8 does not properly handle crafted authentication data sent to an SSH daemon, which allows remote attackers to cause a denial of service via vectors involving processing of XML log documents by other services, related to a "log injection" issue. Per: http://support.apple.com/kb/HT3937 "This issue affects Mac OS X Server systems only"

Vulnerable Configurations

Part Description Count
OS
Apple
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_SECUPD2009-006.NASL
descriptionThe remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion
last seen2020-06-01
modified2020-06-02
plugin id42433
published2009-11-09
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/42433
titleMac OS X Multiple Vulnerabilities (Security Update 2009-006)
code
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);
if (NASL_LEVEL < 3000) exit(0);


include("compat.inc");


if (description)
{
  script_id(42433);
  script_version("1.27");

  script_cve_id(
    "CVE-2007-5707",
    "CVE-2007-6698",
    "CVE-2008-0658",
    "CVE-2008-5161",
    "CVE-2009-0023",
    "CVE-2009-1191",
    "CVE-2009-1195",
    "CVE-2009-1574",
    "CVE-2009-1632",
    "CVE-2009-1890",
    "CVE-2009-1891",
    "CVE-2009-1955",
    "CVE-2009-1956",
    "CVE-2009-2408",
    "CVE-2009-2409",
    "CVE-2009-2411",
    "CVE-2009-2412",
    "CVE-2009-2414",
    "CVE-2009-2416",
    "CVE-2009-2666",
    "CVE-2009-2808",
    "CVE-2009-2818",
    "CVE-2009-2819",
    "CVE-2009-2820",
    "CVE-2009-2823",
    "CVE-2009-2824",
    "CVE-2009-2825",
    "CVE-2009-2826",
    "CVE-2009-2827",
    "CVE-2009-2828",
    "CVE-2009-2829",
    "CVE-2009-2831",
    "CVE-2009-2832",
    "CVE-2009-2833",
    "CVE-2009-2834",
    "CVE-2009-2837",
    "CVE-2009-2838",
    "CVE-2009-2839",
    "CVE-2009-2840",
    "CVE-2009-3111",
    "CVE-2009-3291",
    "CVE-2009-3292",
    "CVE-2009-3293"
  );
  script_bugtraq_id(
    26245,
    27778,
    34663,
    35115,
    35221,
    35251,
    35565,
    35623,
    35888,
    35983,
    36263,
    36449,
    36959,
    36961,
    36962,
    36963,
    36964,
    36966,
    36967,
    36972,
    36973,
    36975,
    36977,
    36978,
    36979,
    36982,
    36985,
    36988,
    36990
  );

  script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-006)");
  script_summary(english:"Check for the presence of Security Update 2009-006");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host is missing a Mac OS X update that fixes various
security issues."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is running a version of Mac OS X 10.5 that does not
have Security Update 2009-006 applied.

This security update contains fixes for the following products :

  - AFP Client
  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - ATS
  - Certificate Assistant
  - CoreGraphics
  - CUPS
  - Dictionary
  - DirectoryService
  - Disk Images
  - Event Monitor
  - fetchmail
  - FTP Server
  - Help Viewer
  - International Components for Unicode
  - IOKit
  - IPSec
  - libsecurity
  - libxml
  - OpenLDAP
  - OpenSSH
  - PHP
  - QuickDraw Manager
  - QuickLook
  - FreeRADIUS
  - Screen Sharing
  - Spotlight
  - Subversion"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT3937"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.securityfocus.com/advisories/18255"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install Security Update 2009-006 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(16, 20, 79, 119, 189, 200, 255, 264, 310, 399);
  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/09");
  script_cvs_date("Date: 2018/07/16 12:48:31");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages", "Host/uname");

  exit(0);
}


uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");

pat = "^.+Darwin.* ([0-9]+\.[0-9.]+).*$";
if (!ereg(pattern:pat, string:uname)) exit(1, "Can't identify the Darwin kernel version from the uname output ("+uname+").");

darwin = ereg_replace(pattern:pat, replace:"\1", string:uname);
if (ereg(pattern:"^(9\.[0-8]\.)", string:darwin))
{
  packages = get_kb_item("Host/MacOSX/packages/boms");
  if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");

  if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[6-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
    exit(0, "The host has Security Update 2009-006 or later installed and therefore is not affected.");
  else
    security_hole(0);
}
else exit(0, "The host is running Darwin kernel version "+darwin+" and therefore is not affected.");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36956 CVE ID: CVE-2009-2808,CVE-2009-2810,CVE-2009-2818,CVE-2009-2819,CVE-2009-2820,CVE-2009-2823,CVE-2009-2824,CVE-2009-2825,CVE-2009-2826,CVE-2009-2827,CVE-2009-2828,CVE-2009-2829,CVE-2009-2830,CVE-2009-2831,CVE-2009-2832,CVE-2009-2833,CVE-2009-2834,CVE-2009-2835,CVE-2009-2837,CVE-2009-2838,CVE-2009-2839,CVE-2009-2840 Mac OS X是苹果家族机器所使用的操作系统。 Apple 2009-006安全更新修复了Mac OS X中的多个安全漏洞,本地或远程攻击者可能利用这些漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2808 Help Viewer没有使用HTTPS查看Apple Help内容,本地网络中的用户可以发送包含有恶意help:runscript链接的伪造HTTP响应。 CVE-2009-2810 在调用Launch服务打开被隔离的文件夹时会递归的清除文件夹中文件的隔离信息,而被清除的隔离信息用户在打开项之前触发用户警告。这可能允许在没有警告对话框的情况下启动不安全的项,如应用程序。 CVE-2009-2818 自适应防火墙通过创建临时规则限制访问来响应可疑行为,如大量的访问尝试。在某些环境下,自适应防火墙可能无法检测使用无效用户名的SSH登录尝试。 CVE-2009-2819 AFP客户端中存在多个内存破坏漏洞,连接到恶意的AFP服务器可能导致系统意外终止或以系统权限执行任意代码。 CVE-2009-2820 CUPS中的漏洞可能导致跨站脚本和HTTP响应拆分,访问恶意网页或URL可能允许攻击者通过CUPS web接口访问本地用户可用的内容,包括打印系统配置和已打印任务的标题。 CVE-2009-2823 Apache Web服务器允许TRACE HTTP方式,远程攻击者可以利用这个工具通过某些Web客户端软件执行跨站脚本攻击。 CVE-2009-2824 Apple类型服务处理嵌入式字体的方式存在多个缓冲区溢出,查看或下载包含有恶意嵌入式字体的文档可能导致执行任意代码。 CVE-2009-2825 在处理CN字段中包含有空字符的SSL证书时存在错误,用户可能被误导接受外观类似于匹配用户所访问域的特制证书。 CVE-2009-2826 CoreGraphics处理PDF文件存在多个可导致堆溢出的整数溢出,打开恶意PDF文件可能导致应用程序意外终止或执行任意代码。 CVE-2009-2827 处理包含有FAT文件系统的磁盘镜像时存在堆溢出,下载恶意的磁盘镜像可能导致应用程序意外终止或执行任意代码。 CVE-2009-2828 DirectoryService中的内存破坏漏洞可能导致应用程序意外终止或执行任意代码。 CVE-2009-2829 Event Monitor中存在日志注入漏洞,通过特制认证信息连接到SSH服务器就可以导致日志注入。当其他服务处理日志数据时这可能导致拒绝服务。 CVE-2009-2830 文件命令行工具中存在多个缓冲区溢出漏洞,对恶意的CDF文件运行文件命令可能导致应用程序意外终止或执行任意代码。 CVE-2009-2831 Dictionary中的设计错误允许恶意的Javascript向用户文件系统的任意位置写入任意数据,这可能允许本地网络中的其他用户在用户系统上执行任意代码。 CVE-2009-2832 FTP服务器的CWD命令行工具中存在缓冲区溢出,对深层嵌套的目录结构发布CWD命令可能导致应用程序意外终止或执行任意代码。 CVE-2009-2833 UCCompareTextDefault API中的缓冲区溢出可能导致应用程序意外终止或执行任意代码。 CVE-2009-2834 非特权用户可以更改附带的USB或蓝牙Apple键盘的固件。 CVE-2009-2835 内核处理任务状态段存在多个输入验证问题,可能允许本地用户导致信息泄露、系统意外关机或执行任意代码。 CVE-2009-2837 QuickDraw处理PICT图形存在堆溢出,打开恶意的PICT图形可能导致应用程序意外终止或执行任意代码。 CVE-2009-2838 QuickLook处理Microsoft Office文件存在整数溢出,下载恶意的Microsoft Office文件可能导致应用程序意外终止或执行任意代码。 CVE-2009-2839 Screen Sharing客户端存在多个内存破坏漏洞,通过打开vnc:// URL访问恶意的VNC服务器可能导致应用程序意外终止或执行任意代码。 CVE-2009-2840 Spotlight处理临时文件的方式存在不安全的文件操作,可能允许本地用户以其他用户的权限覆盖文件。 Apple Mac OS X &lt; 10.6.2 Apple MacOS X Server &lt; 10.6.2 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/support/downloads/
idSSV:12599
last seen2017-11-19
modified2009-11-10
published2009-11-10
reporterRoot
titleApple Mac OS X 2009-006更新修复多个安全漏洞

References