Vulnerabilities > CVE-2013-5229 - 7PK - Security Features vulnerability in Apple mac OS X
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The Remote Desktop full-screen feature in Apple OS X before 10.9 and Apple Remote Desktop before 3.7 sends dialog-box text to a connected remote host upon being woken from sleep, which allows physically proximate attackers to bypass intended access restrictions by entering a command in this box.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_REMOTE_DESKTOP_3_7.NASL description According to its version, the Apple Remote Desktop install on the remote host is earlier than 3.5.4 / 3.7. As such, it is potentially affected the following vulnerabilities : - A format string vulnerability exists in Remote Desktop last seen 2020-06-01 modified 2020-06-02 plugin id 70609 published 2013-10-25 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70609 title Apple Remote Desktop < 3.5.4 / 3.7 Multiple Vulnerabilities (Mac OS X) code #TRUSTED 4c97c669334f1f0219376afc15431d613ca8bf94323a7f236f47f421b7bc19b5ba5c7567266f71565c74e6e3679a4e15f4ef9e07264a9089a6fde91473e07c38b62cac1e0772a08ad859de1f61c51864f2d721b8b16ed69f9a7ac8905ded2888e7fd9b4b4b9ac0c3bf9cf878ddc51e2cabcaa9550e4d38d3dedf88040a47e5a74c89a471bae53d76574f2d76db3c217f35d8a9728ed2fd8d82eda11ea4ed49a977f834ed12bfcd9fb07c09441e6d51357012633fb2ff5fb09ab67e47bcd2d30867ff782f14df46b6b7eadeeb11a3995a594d62543aeb49b7eca3d6b19d156f29e1945ded26b420d18a243e14c20e74407dcafa812f9ae77094fda1076b14624aa7c52058d0b0114ca4ab7241660d85383602a5d54144e6338162a760a3f64217605505906aa2fae6a00070918d1a98d134aa4ed8209f5434a43b9d803be5d923ca6b7454d19c3ee12ddfa40090e4c445d299b4c66f24e899517d014e05db5d78c110146dfec050751082f6b1df4ae51d01edac211e55687d9c97ab77d6932ec0292eef6e1c9a088370aedd68152fee2bbe2b3f3fd7d7eb2773f9e4e121294fa2b05e9de9803c32a7e648d4ba3d8957ccfb3576cc49a84f5e29e19f1612ad606e0838bb60b9fe9cde09d7f3930e4359b0d68823a1315a11977ce5a90c997702c674ea00f1ba1bce8e271308c523d1de6952275b4556675d07226a845a7c2dbb49 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70609); script_version("1.8"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-5135", "CVE-2013-5136", "CVE-2013-5229"); script_bugtraq_id(63284, 63286); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-6"); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-7"); script_name(english:"Apple Remote Desktop < 3.5.4 / 3.7 Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Reads version from Info.plist"); script_set_attribute(attribute:"synopsis", value: "The Mac OS X host has a remote management application that is potentially affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Apple Remote Desktop install on the remote host is earlier than 3.5.4 / 3.7. As such, it is potentially affected the following vulnerabilities : - A format string vulnerability exists in Remote Desktop's handling of a VNC username. (CVE-2013-5135) - An information disclosure vulnerability exists because Remote Desktop may use password authentication without warning that the connection would be encrypted if a third-party VNC server supports certain authentication types. Note that this does not affect installs of version 3.5.x or earlier. (CVE_2013-5136) - An authentication bypass vulnerability exists due to a flaw in the full-screen feature that is triggered when handling text entered in the dialog box upon recovering from sleep mode with a remote connection alive. A local attacker can exploit this to bypass intended access restrictions. (CVE-2013-5229)"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5997"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5998"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00007.html"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00008.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apple Remote Desktop 3.5.4 / 3.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_remote_desktop"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/MacOSX/Version"))audit(AUDIT_HOST_NOT, "running Mac OS X"); plist = '/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Info.plist'; cmd = 'plutil -convert xml1 -o - \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec_cmd(cmd:cmd); if (!strlen(version)) audit(AUDIT_NOT_INST, "Apple Remote Desktop Client"); if (version !~ "^[0-9]") exit(1, "The version does not look valid (" + version + ")."); if ( ereg(pattern:"^3\.[0-4]($|[^0-9])", string:version) || ereg(pattern:"^3\.5\.[0-3]($|[^0-9])", string:version) || ereg(pattern:"^3\.6(\.[0-9])?($|[^0-9.])", string:version) ) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : 3.5.4 / 3.7' + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "Apple Remote Desktop Client", version);NASL family MacOS X Local Security Checks NASL id MACOSX_10_9.NASL description The remote host is running a version of Mac OS X 10.x that is prior to version 10.9. The newer version contains multiple security-related fixes for the following components : - Application Firewall - App Sandbox - Bluetooth - CFNetwork - CFNetwork SSL - Console - CoreGraphics - curl - dyld - IOKitUser - IOSerialFamily - Kernel - Kext Management - LaunchServices - Libc - Mail Accounts - Mail Header Display - Mail Networking - OpenLDAP - perl - Power Management - python - ruby - Security - Security - Authorization - Security - Smart Card Services - Screen Lock - Screen Sharing Server - syslog - USB last seen 2020-06-01 modified 2020-06-02 plugin id 70561 published 2013-10-23 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70561 title Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70561); script_version("1.11"); script_cvs_date("Date: 2018/07/14 1:59:36"); script_cve_id( "CVE-2011-2391", "CVE-2011-3389", "CVE-2011-3427", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-0876", "CVE-2012-1150", "CVE-2013-0249", "CVE-2013-1667", "CVE-2013-1944", "CVE-2013-3950", "CVE-2013-3954", "CVE-2013-4073", "CVE-2013-5135", "CVE-2013-5138", "CVE-2013-5139", "CVE-2013-5141", "CVE-2013-5142", "CVE-2013-5145", "CVE-2013-5165", "CVE-2013-5166", "CVE-2013-5167", "CVE-2013-5168", "CVE-2013-5169", "CVE-2013-5170", "CVE-2013-5171", "CVE-2013-5172", "CVE-2013-5173", "CVE-2013-5174", "CVE-2013-5175", "CVE-2013-5176", "CVE-2013-5177", "CVE-2013-5178", "CVE-2013-5179", "CVE-2013-5180", "CVE-2013-5181", "CVE-2013-5182", "CVE-2013-5183", "CVE-2013-5184", "CVE-2013-5185", "CVE-2013-5186", "CVE-2013-5187", "CVE-2013-5188", "CVE-2013-5189", "CVE-2013-5190", "CVE-2013-5191", "CVE-2013-5192", "CVE-2013-5229" ); script_bugtraq_id( 49778, 51239, 51996, 52379, 52732, 57842, 58311, 59058, 60437, 60444, 60843, 62520, 62522, 62523, 62529, 62531, 62536, 63284, 63290, 63311, 63312, 63313, 63314, 63316, 63317, 63319, 63320, 63321, 63322, 63329, 63330, 63331, 63332, 63335, 63336, 63339, 63343, 63344, 63345, 63346, 63347, 63348, 63349, 63350, 63351, 63352, 63353 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-3"); script_xref(name:"CERT", value:"864643"); script_name(english:"Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.x that is prior to version 10.9. The newer version contains multiple security-related fixes for the following components : - Application Firewall - App Sandbox - Bluetooth - CFNetwork - CFNetwork SSL - Console - CoreGraphics - curl - dyld - IOKitUser - IOSerialFamily - Kernel - Kext Management - LaunchServices - Libc - Mail Accounts - Mail Header Display - Mail Networking - OpenLDAP - perl - Power Management - python - ruby - Security - Security - Authorization - Security - Smart Card Services - Screen Lock - Screen Sharing Server - syslog - USB" ); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6011"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/23"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); match = eregmatch(pattern:"Mac OS X (10\.[0-9.]+)", string:os); if (!isnull(match)) { version = match[1]; fixed_version = "10.9"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } } exit(0, "The host is not affected as it is running "+os+".");