Vulnerabilities > CVE-2010-3786 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
apple
CWE-119
nessus

Summary

QuickLook in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Excel file.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_IWORK_9_1.NASL
    descriptionThe version of iWork 9.x installed on the remote Mac OS X host is earlier than 9.1. As such, it is potentially affected by several vulnerabilities : - A buffer overflow in iWork
    last seen2020-03-18
    modified2011-07-26
    plugin id55693
    published2011-07-26
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55693
    titleMac OS X : iWork 9.x < 9.1 Multiple Vulnerabilities
    code
    #TRUSTED 5a5415ddcd2eeefebc6f403f05bdcf3187607a3e0d59ddd6a3c13787d5e953d86a60b58fd35425a49d2269daf99c41db5774709ea230ff3bc318a351ef1a7e4404fae7baa45c2b288ba0d18092bc68feefb643672a4e44c160b1b66743728d2f38766110d368cd65c070891e421414c0da5e2b9a89de3cde245ccd0a31eacadf039c341a0435a25f3eb37836ff51dbbf338f3322557b8c0707b41731ea81b82518a255e88ecaaca6dbbdebc91a26ce425f7a5bed77c37e995f8056489377ff7e0ab8fb970c6b8c1a8e6aed97d212a5936176f628d871113bbf2ddfc6f2adf9f8a6764559e3ce20abfd659a64a1f0f54a9c093ea5635ca3b267607e32c6923b4bce1be9c32aefc49b81afb468338aa98181405369f5406660d3a2413b79f1ad21c44f5fc3c9956a5a77a58966076be1136cf0fb703a11cfa74de4f215f832cb7b73cd9c21cda72a2bd3ccbfa1b6881503e19ae4a6bfd2721a2363d3f32aa17ab7f5d72e27beaff1bcaae545756a3a2a3c8a361b64ef8e0710936c663d8387d58a4c39b9f656324a2cef39aabf4f31dc32558e3fb91a69e70f51459fe75adbd95812119dbc7f345963cceb5ffe74f6053642e4638992cbeb69e1882b74d315bdb442d0e66658eb1a49569e7fae072da88ce0321b97e7ac4b3015bc253f5194dbd68e02e01873ddd17dba13e22741970bacaaaf642de50450e61f8a10c50bede93c
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(55693);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2019/09/12");
    
      script_cve_id("CVE-2010-3785", "CVE-2010-3786", "CVE-2011-1417");
      script_bugtraq_id(44799, 44812, 46832);
    
      script_name(english:"Mac OS X : iWork 9.x < 9.1 Multiple Vulnerabilities");
      script_summary(english:"Check the installed version of Numbers");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host contains an office suite that is affected by several vulnerabilities.");
    
      script_set_attribute(
        attribute:"description",
        value:
    "The version of iWork 9.x installed on the remote Mac OS X host is earlier than 9.1. As such, it is potentially
    affected by several vulnerabilities :
    
      - A buffer overflow in iWork's handling of Excel files in
        Numbers may lead to an application crash or arbitrary 
        code execution. (CVE-2010-3785)
    
      - A memory corruption issue in iWork's handling of Excel 
        files in Numbers may lead to an application crash or 
        arbitrary code execution. (CVE-2010-3786)
    
      - A memory corruption issue in iWork's handling of 
        Microsoft Word files in Pages may lead to an 
        application crash or arbitrary code execution.
        (CVE-2011-1417)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT4830");
      # http://lists.apple.com/archives/security-announce/2011/Jul/msg00003.html 
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84d8e8f6");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/518976/30/0/threaded");
      script_set_attribute(attribute:"solution", value:
    "Apply the iWork 9.1 Update and verify the installed version of Numbers is 2.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3785");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
     
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
     
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages", "Host/MacOSX/packages/boms");
    
      exit(0);
    }
    
    
    include('global_settings.inc');
    include('misc_func.inc');
    include('ssh_func.inc');
    include('macosx_func.inc');
    
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    if (!get_kb_item('Host/local_checks_enabled')) exit(0, 'Local checks are not enabled.');
    
    
    os = get_kb_item('Host/MacOSX/Version');
    if (!os) exit(0, 'The host does not appear to be running Mac OS X.');
    
    
    # Check list of package to ensure that iWork 9.x is installed.
    boms = get_kb_item('Host/MacOSX/packages/boms');
    packages = get_kb_item('Host/MacOSX/packages');
    if (boms)
    {
      if ('pkg.iWork09' >!< boms) exit(0, 'iWork 9.x is not installed.');
    }
    # nb: iWork up to 9.0.5 is available for 10.4 so we need to be sure we
    #     identify installs of that. The 9.1 Update does not, though, work on it.
    else if (packages)
    {
      if (!egrep(pattern:"^iWork ?09", string:packages)) exit(0, 'iWork 9.x is not installed.');
    }
    if (!boms && !packages) exit(1, 'Failed to list installed packages / boms.');
    
    
    # Check for the update or a later one.
    if (
      boms &&
      egrep(pattern:"^com\.apple\.pkg\.iWork_9[1-9][0-9]*_Update", string:boms)
    ) exit(0, 'The host has the iWork 9.1 Update or later installed and therefore is not affected.');
    
    
    # Let's make sure the version of the Numbers app indicates it's affected.
    path = '/Applications/iWork \'09/Numbers.app';
    plist = path + '/Contents/Info.plist';
    cmd =  'cat "' + plist + '" | ' +
      'grep -A 1 CFBundleShortVersionString | ' +
      'tail -n 1 | ' +
      'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
    version = exec_cmd(cmd:cmd);
    if (!strlen(version)) exit(1, 'Failed to get the version of Numbers.');
    
    version = chomp(version);
    if (version !~ "^[0-9]+\.") exit(1, 'The Numbers version does not appear to be numeric (' +version+').');
    
    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);
    
    if (ver[0] == 2 && ver[1] < 1)
    {
      if (report_verbosity > 0)
      {
        report = 
          '\n  Path                         : ' + path + 
          '\n  Installed version of Numbers : ' + version + 
          '\n  Fixed version of Numbers     : 2.1\n';
        security_warning(port:0, extra:report);
      }
      else security_warning(0);
    }
    else exit(0, 'The host is not affected since Numbers ' + version + ' is installed.');
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_6_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5. Mac OS X 10.6.5 contains security fixes for the following products : - AFP Server - Apache mod_perl - Apache - AppKit - ATS - CFNetwork - CoreGraphics - CoreText - CUPS - Directory Services - diskdev_cmds - Disk Images - Flash Player plug-in - gzip - Image Capture - ImageIO - Image RAW - Kernel - MySQL - neon - Networking - OpenLDAP - OpenSSL - Password Server - PHP - Printing - python - QuickLook - QuickTime - Safari RSS - Time Machine - Wiki Server - X11 - xar
    last seen2020-06-01
    modified2020-06-02
    plugin id50548
    published2010-11-10
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50548
    titleMac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if (NASL_LEVEL < 3000) exit(0);
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(50548);
      script_version("1.52");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id(
        "CVE-2008-4546",
        "CVE-2009-0796",
        "CVE-2009-0946",
        "CVE-2009-2473",
        "CVE-2009-2474",
        "CVE-2009-2624",
        "CVE-2009-3793",
        "CVE-2009-4134",
        "CVE-2010-0001",
        "CVE-2010-0105",
        "CVE-2010-0205",
        "CVE-2010-0209",
        "CVE-2010-0211",
        "CVE-2010-0212",
        "CVE-2010-0397",
        "CVE-2010-0408",
        "CVE-2010-0434",
        "CVE-2010-1205",
        "CVE-2010-1297",
        "CVE-2010-1378",
        "CVE-2010-1449",
        "CVE-2010-1450",
        "CVE-2010-1752",
        "CVE-2010-1803",
        "CVE-2010-1811",
        "CVE-2010-1828",
        "CVE-2010-1829",
        "CVE-2010-1830",
        "CVE-2010-1831",
        "CVE-2010-1832",
        "CVE-2010-1833",
        "CVE-2010-1834",
        "CVE-2010-1836",
        "CVE-2010-1837",
        "CVE-2010-1838",
        "CVE-2010-1840",
        "CVE-2010-1841",
        "CVE-2010-1842",
        "CVE-2010-1843",
        "CVE-2010-1844",
        "CVE-2010-1845",
        "CVE-2010-1846",
        "CVE-2010-1847",
        "CVE-2010-1848",
        "CVE-2010-1849",
        "CVE-2010-1850",
        "CVE-2010-2160",
        "CVE-2010-2161",
        "CVE-2010-2162",
        "CVE-2010-2163",
        "CVE-2010-2164",
        "CVE-2010-2165",
        "CVE-2010-2166",
        "CVE-2010-2167",
        "CVE-2010-2169",
        "CVE-2010-2170",
        "CVE-2010-2171",
        "CVE-2010-2172",
        "CVE-2010-2173",
        "CVE-2010-2174",
        "CVE-2010-2175",
        "CVE-2010-2176",
        "CVE-2010-2177",
        "CVE-2010-2178",
        "CVE-2010-2179",
        "CVE-2010-2180",
        "CVE-2010-2181",
        "CVE-2010-2182",
        "CVE-2010-2183",
        "CVE-2010-2184",
        "CVE-2010-2185",
        "CVE-2010-2186",
        "CVE-2010-2187",
        "CVE-2010-2188",
        "CVE-2010-2189",
        "CVE-2010-2213",
        "CVE-2010-2214",
        "CVE-2010-2215",
        "CVE-2010-2216",
        "CVE-2010-2249",
        "CVE-2010-2497",
        "CVE-2010-2498",
        "CVE-2010-2499",
        "CVE-2010-2500",
        "CVE-2010-2519",
        "CVE-2010-2520",
        "CVE-2010-2531",
        "CVE-2010-2805",
        "CVE-2010-2806",
        "CVE-2010-2807",
        "CVE-2010-2808",
        "CVE-2010-2884",
        "CVE-2010-2941",
        "CVE-2010-3053",
        "CVE-2010-3054",
        "CVE-2010-3636",
        "CVE-2010-3638",
        "CVE-2010-3639",
        "CVE-2010-3640",
        "CVE-2010-3641",
        "CVE-2010-3642",
        "CVE-2010-3643",
        "CVE-2010-3644",
        "CVE-2010-3645",
        "CVE-2010-3646",
        "CVE-2010-3647",
        "CVE-2010-3648",
        "CVE-2010-3649",
        "CVE-2010-3650",
        "CVE-2010-3652",
        "CVE-2010-3654",
        "CVE-2010-3783",
        "CVE-2010-3784",
        "CVE-2010-3785",
        "CVE-2010-3786",
        "CVE-2010-3787",
        "CVE-2010-3788",
        "CVE-2010-3789",
        "CVE-2010-3790",
        "CVE-2010-3791",
        "CVE-2010-3792",
        "CVE-2010-3793",
        "CVE-2010-3794",
        "CVE-2010-3795",
        "CVE-2010-3796",
        "CVE-2010-3797",
        "CVE-2010-3798",
        "CVE-2010-3976"
      );
      script_bugtraq_id(
        31537,
        34383,
        34550,
        36079,
        38478,
        38491,
        38494,
        38708,
        39658,
        40361,
        40363,
        40365,
        40586,
        40779,
        40780,
        40781,
        40782,
        40783,
        40784,
        40785,
        40786,
        40787,
        40788,
        40789,
        40790,
        40791,
        40792,
        40793,
        40794,
        40795,
        40796,
        40797,
        40798,
        40799,
        40800,
        40801,
        40802,
        40803,
        40805,
        40806,
        40807,
        40808,
        40809,
        41049,
        41174,
        41770,
        42285,
        42621,
        42624,
        44504,
        44530,
        44671,
        44784,
        44785,
        44787,
        44789,
        44790,
        44792,
        44794,
        44795,
        44796,
        44798,
        44799,
        44800,
        44802,
        44803,
        44804,
        44805,
        44806,
        44807,
        44808,
        44811,
        44812,
        44813,
        44814,
        44815,
        44816,
        44817,
        44819,
        44822,
        44828,
        44829,
        44831,
        44832,
        44833,
        44834,
        44835,
        44840
      );
    
      script_name(english:"Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities");
      script_summary(english:"Check the version of Mac OS X");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is running a version of Mac OS X 10.6.x that is prior
    to 10.6.5.
    
    Mac OS X 10.6.5 contains security fixes for the following products :
    
      - AFP Server
      - Apache mod_perl
      - Apache
      - AppKit
      - ATS
      - CFNetwork
      - CoreGraphics
      - CoreText
      - CUPS
      - Directory Services
      - diskdev_cmds
      - Disk Images
      - Flash Player plug-in
      - gzip
      - Image Capture
      - ImageIO
      - Image RAW
      - Kernel
      - MySQL
      - neon
      - Networking
      - OpenLDAP
      - OpenSSL
      - Password Server
      - PHP
      - Printing
      - python
      - QuickLook
      - QuickTime
      - Safari RSS
      - Time Machine
      - Wiki Server
      - X11
      - xar"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/HT4435"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2010/Nov/msg00000.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade to Mac OS X 10.6.5 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-164");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player "Button" Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 79, 189, 200, 310, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/11/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/10");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
     
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
    
     exit(0);
    }
    
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item("Host/OS");
      if (isnull(os)) exit(0, "The 'Host/OS' KB item is missing.");
      if ("Mac OS X" >!< os) exit(0, "The host does not appear to be running Mac OS X.");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) exit(0, "The host does not appear to be running Mac OS X.");
    
    
    if (ereg(pattern:"Mac OS X 10\.6($|\.[0-4]([^0-9]|$))", string:os)) security_hole(0);
    else exit(0, "The host is not affected as it is running "+os+".");
    

Seebug

bulletinFamilyexploit
descriptionCVE ID: CVE-2010-3786 iWork 是以Mac 方式创建文档、电子表格和演示文稿的最轻松途径。 Apple iWork在实现上存在多个安全漏洞,远程攻击者可利用这些漏洞控制用户系统。 在处理Excel文件时,iWork Numbers中存在错误,可通过特制的文件造成内存破坏。 Apple iWork 9.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://support.apple.com/
idSSV:20773
last seen2017-11-19
modified2011-07-28
published2011-07-28
reporterRoot
titleApple iWork Numbers/Pages多个漏洞(CVE-2010-3786)