Vulnerabilities > CVE-2013-5135 - USE of Externally-Controlled Format String vulnerability in Apple Remote Desktop and mac OS X
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in Screen Sharing Server in Apple Mac OS X before 10.9 and Apple Remote Desktop before 3.5.4 allows remote attackers to execute arbitrary code via format string specifiers in a VNC username.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_REMOTE_DESKTOP_3_7.NASL description According to its version, the Apple Remote Desktop install on the remote host is earlier than 3.5.4 / 3.7. As such, it is potentially affected the following vulnerabilities : - A format string vulnerability exists in Remote Desktop last seen 2020-06-01 modified 2020-06-02 plugin id 70609 published 2013-10-25 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70609 title Apple Remote Desktop < 3.5.4 / 3.7 Multiple Vulnerabilities (Mac OS X) code #TRUSTED 4c97c669334f1f0219376afc15431d613ca8bf94323a7f236f47f421b7bc19b5ba5c7567266f71565c74e6e3679a4e15f4ef9e07264a9089a6fde91473e07c38b62cac1e0772a08ad859de1f61c51864f2d721b8b16ed69f9a7ac8905ded2888e7fd9b4b4b9ac0c3bf9cf878ddc51e2cabcaa9550e4d38d3dedf88040a47e5a74c89a471bae53d76574f2d76db3c217f35d8a9728ed2fd8d82eda11ea4ed49a977f834ed12bfcd9fb07c09441e6d51357012633fb2ff5fb09ab67e47bcd2d30867ff782f14df46b6b7eadeeb11a3995a594d62543aeb49b7eca3d6b19d156f29e1945ded26b420d18a243e14c20e74407dcafa812f9ae77094fda1076b14624aa7c52058d0b0114ca4ab7241660d85383602a5d54144e6338162a760a3f64217605505906aa2fae6a00070918d1a98d134aa4ed8209f5434a43b9d803be5d923ca6b7454d19c3ee12ddfa40090e4c445d299b4c66f24e899517d014e05db5d78c110146dfec050751082f6b1df4ae51d01edac211e55687d9c97ab77d6932ec0292eef6e1c9a088370aedd68152fee2bbe2b3f3fd7d7eb2773f9e4e121294fa2b05e9de9803c32a7e648d4ba3d8957ccfb3576cc49a84f5e29e19f1612ad606e0838bb60b9fe9cde09d7f3930e4359b0d68823a1315a11977ce5a90c997702c674ea00f1ba1bce8e271308c523d1de6952275b4556675d07226a845a7c2dbb49 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70609); script_version("1.8"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-5135", "CVE-2013-5136", "CVE-2013-5229"); script_bugtraq_id(63284, 63286); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-6"); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-7"); script_name(english:"Apple Remote Desktop < 3.5.4 / 3.7 Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Reads version from Info.plist"); script_set_attribute(attribute:"synopsis", value: "The Mac OS X host has a remote management application that is potentially affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Apple Remote Desktop install on the remote host is earlier than 3.5.4 / 3.7. As such, it is potentially affected the following vulnerabilities : - A format string vulnerability exists in Remote Desktop's handling of a VNC username. (CVE-2013-5135) - An information disclosure vulnerability exists because Remote Desktop may use password authentication without warning that the connection would be encrypted if a third-party VNC server supports certain authentication types. Note that this does not affect installs of version 3.5.x or earlier. (CVE_2013-5136) - An authentication bypass vulnerability exists due to a flaw in the full-screen feature that is triggered when handling text entered in the dialog box upon recovering from sleep mode with a remote connection alive. A local attacker can exploit this to bypass intended access restrictions. (CVE-2013-5229)"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5997"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5998"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00007.html"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00008.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apple Remote Desktop 3.5.4 / 3.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_remote_desktop"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/MacOSX/Version"))audit(AUDIT_HOST_NOT, "running Mac OS X"); plist = '/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Info.plist'; cmd = 'plutil -convert xml1 -o - \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec_cmd(cmd:cmd); if (!strlen(version)) audit(AUDIT_NOT_INST, "Apple Remote Desktop Client"); if (version !~ "^[0-9]") exit(1, "The version does not look valid (" + version + ")."); if ( ereg(pattern:"^3\.[0-4]($|[^0-9])", string:version) || ereg(pattern:"^3\.5\.[0-3]($|[^0-9])", string:version) || ereg(pattern:"^3\.6(\.[0-9])?($|[^0-9.])", string:version) ) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : 3.5.4 / 3.7' + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "Apple Remote Desktop Client", version);NASL family MacOS X Local Security Checks NASL id MACOSX_10_9.NASL description The remote host is running a version of Mac OS X 10.x that is prior to version 10.9. The newer version contains multiple security-related fixes for the following components : - Application Firewall - App Sandbox - Bluetooth - CFNetwork - CFNetwork SSL - Console - CoreGraphics - curl - dyld - IOKitUser - IOSerialFamily - Kernel - Kext Management - LaunchServices - Libc - Mail Accounts - Mail Header Display - Mail Networking - OpenLDAP - perl - Power Management - python - ruby - Security - Security - Authorization - Security - Smart Card Services - Screen Lock - Screen Sharing Server - syslog - USB last seen 2020-06-01 modified 2020-06-02 plugin id 70561 published 2013-10-23 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70561 title Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70561); script_version("1.11"); script_cvs_date("Date: 2018/07/14 1:59:36"); script_cve_id( "CVE-2011-2391", "CVE-2011-3389", "CVE-2011-3427", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-0876", "CVE-2012-1150", "CVE-2013-0249", "CVE-2013-1667", "CVE-2013-1944", "CVE-2013-3950", "CVE-2013-3954", "CVE-2013-4073", "CVE-2013-5135", "CVE-2013-5138", "CVE-2013-5139", "CVE-2013-5141", "CVE-2013-5142", "CVE-2013-5145", "CVE-2013-5165", "CVE-2013-5166", "CVE-2013-5167", "CVE-2013-5168", "CVE-2013-5169", "CVE-2013-5170", "CVE-2013-5171", "CVE-2013-5172", "CVE-2013-5173", "CVE-2013-5174", "CVE-2013-5175", "CVE-2013-5176", "CVE-2013-5177", "CVE-2013-5178", "CVE-2013-5179", "CVE-2013-5180", "CVE-2013-5181", "CVE-2013-5182", "CVE-2013-5183", "CVE-2013-5184", "CVE-2013-5185", "CVE-2013-5186", "CVE-2013-5187", "CVE-2013-5188", "CVE-2013-5189", "CVE-2013-5190", "CVE-2013-5191", "CVE-2013-5192", "CVE-2013-5229" ); script_bugtraq_id( 49778, 51239, 51996, 52379, 52732, 57842, 58311, 59058, 60437, 60444, 60843, 62520, 62522, 62523, 62529, 62531, 62536, 63284, 63290, 63311, 63312, 63313, 63314, 63316, 63317, 63319, 63320, 63321, 63322, 63329, 63330, 63331, 63332, 63335, 63336, 63339, 63343, 63344, 63345, 63346, 63347, 63348, 63349, 63350, 63351, 63352, 63353 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-3"); script_xref(name:"CERT", value:"864643"); script_name(english:"Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.x that is prior to version 10.9. The newer version contains multiple security-related fixes for the following components : - Application Firewall - App Sandbox - Bluetooth - CFNetwork - CFNetwork SSL - Console - CoreGraphics - curl - dyld - IOKitUser - IOSerialFamily - Kernel - Kext Management - LaunchServices - Libc - Mail Accounts - Mail Header Display - Mail Networking - OpenLDAP - perl - Power Management - python - ruby - Security - Security - Authorization - Security - Smart Card Services - Screen Lock - Screen Sharing Server - syslog - USB" ); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6011"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/23"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); match = eregmatch(pattern:"Mac OS X (10\.[0-9.]+)", string:os); if (!isnull(match)) { version = match[1]; fixed_version = "10.9"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } } exit(0, "The host is not affected as it is running "+os+".");