Vulnerabilities > CVE-2011-1417 - Numeric Errors vulnerability in Apple Iphone OS, mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip, as demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_IWORK_9_1.NASL description The version of iWork 9.x installed on the remote Mac OS X host is earlier than 9.1. As such, it is potentially affected by several vulnerabilities : - A buffer overflow in iWork last seen 2020-03-18 modified 2011-07-26 plugin id 55693 published 2011-07-26 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55693 title Mac OS X : iWork 9.x < 9.1 Multiple Vulnerabilities code #TRUSTED 5a5415ddcd2eeefebc6f403f05bdcf3187607a3e0d59ddd6a3c13787d5e953d86a60b58fd35425a49d2269daf99c41db5774709ea230ff3bc318a351ef1a7e4404fae7baa45c2b288ba0d18092bc68feefb643672a4e44c160b1b66743728d2f38766110d368cd65c070891e421414c0da5e2b9a89de3cde245ccd0a31eacadf039c341a0435a25f3eb37836ff51dbbf338f3322557b8c0707b41731ea81b82518a255e88ecaaca6dbbdebc91a26ce425f7a5bed77c37e995f8056489377ff7e0ab8fb970c6b8c1a8e6aed97d212a5936176f628d871113bbf2ddfc6f2adf9f8a6764559e3ce20abfd659a64a1f0f54a9c093ea5635ca3b267607e32c6923b4bce1be9c32aefc49b81afb468338aa98181405369f5406660d3a2413b79f1ad21c44f5fc3c9956a5a77a58966076be1136cf0fb703a11cfa74de4f215f832cb7b73cd9c21cda72a2bd3ccbfa1b6881503e19ae4a6bfd2721a2363d3f32aa17ab7f5d72e27beaff1bcaae545756a3a2a3c8a361b64ef8e0710936c663d8387d58a4c39b9f656324a2cef39aabf4f31dc32558e3fb91a69e70f51459fe75adbd95812119dbc7f345963cceb5ffe74f6053642e4638992cbeb69e1882b74d315bdb442d0e66658eb1a49569e7fae072da88ce0321b97e7ac4b3015bc253f5194dbd68e02e01873ddd17dba13e22741970bacaaaf642de50450e61f8a10c50bede93c # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); include("compat.inc"); if (description) { script_id(55693); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/09/12"); script_cve_id("CVE-2010-3785", "CVE-2010-3786", "CVE-2011-1417"); script_bugtraq_id(44799, 44812, 46832); script_name(english:"Mac OS X : iWork 9.x < 9.1 Multiple Vulnerabilities"); script_summary(english:"Check the installed version of Numbers"); script_set_attribute( attribute:"synopsis", value: "The remote host contains an office suite that is affected by several vulnerabilities."); script_set_attribute( attribute:"description", value: "The version of iWork 9.x installed on the remote Mac OS X host is earlier than 9.1. As such, it is potentially affected by several vulnerabilities : - A buffer overflow in iWork's handling of Excel files in Numbers may lead to an application crash or arbitrary code execution. (CVE-2010-3785) - A memory corruption issue in iWork's handling of Excel files in Numbers may lead to an application crash or arbitrary code execution. (CVE-2010-3786) - A memory corruption issue in iWork's handling of Microsoft Word files in Pages may lead to an application crash or arbitrary code execution. (CVE-2011-1417) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT4830"); # http://lists.apple.com/archives/security-announce/2011/Jul/msg00003.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84d8e8f6"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/518976/30/0/threaded"); script_set_attribute(attribute:"solution", value: "Apply the iWork 9.1 Update and verify the installed version of Numbers is 2.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3785"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/12"); script_set_attribute(attribute:"patch_publication_date", value:"2011/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages", "Host/MacOSX/packages/boms"); exit(0); } include('global_settings.inc'); include('misc_func.inc'); include('ssh_func.inc'); include('macosx_func.inc'); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if (!get_kb_item('Host/local_checks_enabled')) exit(0, 'Local checks are not enabled.'); os = get_kb_item('Host/MacOSX/Version'); if (!os) exit(0, 'The host does not appear to be running Mac OS X.'); # Check list of package to ensure that iWork 9.x is installed. boms = get_kb_item('Host/MacOSX/packages/boms'); packages = get_kb_item('Host/MacOSX/packages'); if (boms) { if ('pkg.iWork09' >!< boms) exit(0, 'iWork 9.x is not installed.'); } # nb: iWork up to 9.0.5 is available for 10.4 so we need to be sure we # identify installs of that. The 9.1 Update does not, though, work on it. else if (packages) { if (!egrep(pattern:"^iWork ?09", string:packages)) exit(0, 'iWork 9.x is not installed.'); } if (!boms && !packages) exit(1, 'Failed to list installed packages / boms.'); # Check for the update or a later one. if ( boms && egrep(pattern:"^com\.apple\.pkg\.iWork_9[1-9][0-9]*_Update", string:boms) ) exit(0, 'The host has the iWork 9.1 Update or later installed and therefore is not affected.'); # Let's make sure the version of the Numbers app indicates it's affected. path = '/Applications/iWork \'09/Numbers.app'; plist = path + '/Contents/Info.plist'; cmd = 'cat "' + plist + '" | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec_cmd(cmd:cmd); if (!strlen(version)) exit(1, 'Failed to get the version of Numbers.'); version = chomp(version); if (version !~ "^[0-9]+\.") exit(1, 'The Numbers version does not appear to be numeric (' +version+').'); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (ver[0] == 2 && ver[1] < 1) { if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version of Numbers : ' + version + '\n Fixed version of Numbers : 2.1\n'; security_warning(port:0, extra:report); } else security_warning(0); } else exit(0, 'The host is not affected since Numbers ' + version + ' is installed.');NASL family MacOS X Local Security Checks NASL id MACOSX_10_6_7.NASL description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.7. Mac OS X 10.6.7 contains security fixes for the following products : - AirPort - Apache - AppleScript - ATS - bzip2 - CarbonCore - ClamAV - CoreText - File Quarantine - HFS - ImageIO - Image RAW - Installer - Kerberos - Kernel - Libinfo - libxml - Mailman - PHP - QuickLook - QuickTime - Ruby - Samba - Subversion - Terminal - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 52754 published 2011-03-22 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52754 title Mac OS X 10.6.x < 10.6.7 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3000) exit(0); # Avoid problems with large number of xrefs. include("compat.inc"); if (description) { script_id(52754); script_version("1.33"); script_cvs_date("Date: 2018/08/22 16:49:14"); script_cve_id( "CVE-2006-7243", "CVE-2010-0405", "CVE-2010-1323", "CVE-2010-1324", "CVE-2010-1452", "CVE-2010-2068", "CVE-2010-2950", "CVE-2010-3069", "CVE-2010-3089", "CVE-2010-3315", "CVE-2010-3434", "CVE-2010-3709", "CVE-2010-3710", "CVE-2010-3801", "CVE-2010-3802", "CVE-2010-3814", "CVE-2010-3855", "CVE-2010-3870", "CVE-2010-4008", "CVE-2010-4009", "CVE-2010-4020", "CVE-2010-4021", "CVE-2010-4150", "CVE-2010-4260", "CVE-2010-4261", "CVE-2010-4409", "CVE-2010-4479", "CVE-2010-4494", "CVE-2011-0170", "CVE-2011-0172", "CVE-2011-0173", "CVE-2011-0174", "CVE-2011-0175", "CVE-2011-0176", "CVE-2011-0177", "CVE-2011-0178", "CVE-2011-0179", "CVE-2011-0180", "CVE-2011-0181", "CVE-2011-0182", "CVE-2011-0183", "CVE-2011-0184", "CVE-2011-0186", "CVE-2011-0187", "CVE-2011-0188", "CVE-2011-0189", "CVE-2011-0190", "CVE-2011-0191", "CVE-2011-0192", "CVE-2011-0193", "CVE-2011-0194", "CVE-2011-1417" ); script_bugtraq_id( 40827, 43212, 43555, 43926, 44214, 44605, 44643, 44718, 44779, 44980, 45116, 45117, 45118, 45119, 45122, 45152, 46832, 46965, 46966, 46971, 46972, 46973, 46982, 46984, 46987, 46988, 46989, 46990, 46991, 46992, 46993, 46994, 46995, 46996, 46997, 47023 ); script_xref(name:"EDB-ID", value:"17901"); script_xref(name:"IAVB", value:"2010-B-0083"); script_name(english:"Mac OS X 10.6.x < 10.6.7 Multiple Vulnerabilities"); script_summary(english:"Check the version of Mac OS X"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes several security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.7. Mac OS X 10.6.7 contains security fixes for the following products : - AirPort - Apache - AppleScript - ATS - bzip2 - CarbonCore - ClamAV - CoreText - File Quarantine - HFS - ImageIO - Image RAW - Installer - Kerberos - Kernel - Libinfo - libxml - Mailman - PHP - QuickLook - QuickTime - Ruby - Samba - Subversion - Terminal - X11" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT4581" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html" ); script_set_attribute( attribute:"solution", value:"Upgrade to Mac OS X 10.6.7 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2011/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/22"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item("Host/OS"); if (isnull(os)) exit(0, "The 'Host/OS' KB item is missing."); if ("Mac OS X" >!< os) exit(0, "The host does not appear to be running Mac OS X."); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) exit(0, "The host does not appear to be running Mac OS X."); if (ereg(pattern:"Mac OS X 10\.6($|\.[0-6]([^0-9]|$))", string:os)) security_hole(0); else exit(0, "The host is not affected as it is running "+os+".");NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2011-001.NASL description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2011-001 applied. This security update contains fixes for the following products : - Apache - bzip2 - ClamAV - ImageIO - Kerberos - Libinfo - libxml - Mailman - PHP - QuickLook - Ruby - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 52753 published 2011-03-22 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/52753 title Mac OS X Multiple Vulnerabilities (Security Update 2011-001) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3000) exit(0); # Avoid problems with large number of xrefs. include("compat.inc"); if (description) { script_id(52753); script_version("1.23"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id( "CVE-2010-0405", "CVE-2010-1323", "CVE-2010-1452", "CVE-2010-2068", "CVE-2010-3089", "CVE-2010-3434", "CVE-2010-3436", "CVE-2010-3709", "CVE-2010-3814", "CVE-2010-3855", "CVE-2010-4008", "CVE-2010-4150", "CVE-2010-4260", "CVE-2010-4261", "CVE-2010-4479", "CVE-2011-0170", "CVE-2011-0181", "CVE-2011-0183", "CVE-2011-0188", "CVE-2011-0191", "CVE-2011-0192", "CVE-2011-1417" ); script_bugtraq_id( 40827, 43555, 44214, 44643, 44718, 44723, 44779, 44980, 45118, 45152, 46832, 46966, 46990, 46996 ); script_xref(name:"IAVB", value:"2010-B-0083"); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2011-001)"); script_summary(english:"Check for the presence of Security Update 2011-001"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes several security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2011-001 applied. This security update contains fixes for the following products : - Apache - bzip2 - ClamAV - ImageIO - Kerberos - Libinfo - libxml - Mailman - PHP - QuickLook - Ruby - X11" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT4581" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2011-001 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if (!uname) exit(0, "The 'Host/uname' KB item is missing."); pat = "^.+Darwin.* ([0-9]+\.[0-9.]+).*$"; if (!ereg(pattern:pat, string:uname)) exit(0, "Can't identify the Darwin kernel version from the uname output ("+uname+")."); darwin = ereg_replace(pattern:pat, replace:"\1", string:uname); if (ereg(pattern:"^9\.[0-8]\.", string:darwin)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing."); if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2011\.00[1-9]|201[2-9]\.[0-9]+)(\.leopard)?\.bom", string:packages)) exit(0, "The host has Security Update 2011-001 or later installed and therefore is not affected."); else security_hole(0); } else exit(0, "The host is running Darwin kernel version "+darwin+" and therefore is not affected.");
Seebug
bulletinFamily exploit description BUGTRAQ ID: 46832 CVE ID: CVE-2011-1417 Safari是苹果计算机的最新作业系统Mac OS X中的浏览器,使用了KDE的KHTML作为浏览器的运算核心。 Apple Mobile Safari for iOS 4.2.1在实现上存在远程代码执行漏洞,远程攻击者可利用这些漏洞在浏览器中执行任意代码或造成拒绝服务攻击。 此漏洞源于对解析office文件的支持中。在处理OfficeArtMetafileHeader时,进程信任了cbSize字段,并在分配前对其执行了算法。结果没有检查溢出,后续分配就过小。稍后复制到此缓冲区时,内存可能会崩溃导致任意代码执行。 Apple MacOS X Server 10.x Apple iOS 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://support.apple.com/ id SSV:20500 last seen 2017-11-19 modified 2011-04-24 published 2011-04-24 reporter Root title Apple Mobile Safari for iOS 4.2.1远程代码执行漏洞 bulletinFamily exploit description CVE ID: CVE-2011-1417 iWork 是以Mac 方式创建文档、电子表格和演示文稿的最轻松途径。 Apple iWork在实现上存在多个安全漏洞,远程攻击者可利用这些漏洞控制用户系统。 在处理Microsoft Word文件时,iWork Pages中存在错误,可通过特制的文件造成内存破坏。 Apple iWork 9.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://support.apple.com/ id SSV:20772 last seen 2017-11-19 modified 2011-07-28 published 2011-07-28 reporter Root title Apple iWork Numbers/Pages多个漏洞(CVE-2011-1417) bulletinFamily exploit description CVE ID: CVE-2011-1417 Safari是苹果计算机的最新作业系统Mac OS X中的浏览器,使用了KDE的KHTML作为浏览器的运算核心。 Apple Safari在实现上存在OfficeArtBlip解析远程代码执行漏洞,远程攻击者可利用此漏洞在受影响应用程序中执行任意代码。 此漏洞源于对Office文件解析的支持。在处理OfficeArtMetafileHeader时,进程信任cbSize字段并在分配前对其执行运算工作。由于没有检查结果的溢出性,后续分配会不足。在复制到此缓冲区时,内存可被破坏导致以当前用户权限执行任意代码。 Apple Safari 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com http://support.apple.com/kb/HT4581 id SSV:20414 last seen 2017-11-19 modified 2011-03-29 published 2011-03-29 reporter Root title Apple Safari OfficeArtBlip解析远程代码执行漏洞
References
- http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011
- http://lists.apple.com/archives/security-announce/2011//Apr/msg00000.html
- http://lists.apple.com/archives/security-announce/2011//Apr/msg00001.html
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00005.html
- http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
- http://secunia.com/advisories/44154
- http://support.apple.com/kb/HT4581
- http://support.apple.com/kb/HT4607
- http://support.apple.com/kb/HT5003
- http://www.zdnet.com/blog/security/charlie-miller-wins-pwn2own-again-with-iphone-4-exploit/8378
- http://www.zerodayinitiative.com/advisories/ZDI-11-109/