Vulnerabilities > CVE-2013-6114 - Integer Overflow OR Wraparound vulnerability in Apple Motion 5.0.7

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
apple
CWE-190
nessus
exploit available

Summary

Integer overflow in the OZDocument::parseElement function in Apple Motion 5.0.7 allows remote attackers to cause a denial of service (application crash) via a (1) large or (2) small value in the subview attribute of a viewer element in a .motn file.

Vulnerable Configurations

Part Description Count
Application
Apple
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Exploit-Db

descriptionApple Motion 5.0.7 Integer Overflow Vulnerability. CVE-2013-6114. Dos exploit for osx platform
fileexploits/osx/dos/28811.txt
idEDB-ID:28811
last seen2016-02-03
modified2013-10-08
platformosx
port
published2013-10-08
reporterJean Pascal Pereira
sourcehttps://www.exploit-db.com/download/28811/
titleApple Motion 5.0.7 Integer Overflow Vulnerability
typedos

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_MOTION_5_1.NASL
descriptionThe version of Apple Motion installed on the remote Mac OS X host is earlier than 5.1. As such, it reportedly has an integer overflow in its handling of .motn files that could lead to an out-of-bounds memory access and, in turn, arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id71571
published2013-12-20
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/71571
titleApple Motion < 5.1 OZDocument::parseElement() Function MOTN File Subview Attribute Handling Integer Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(71571);
  script_version("1.3");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2013-6114");
  script_bugtraq_id(62874);
  script_xref(name:"EDB-ID", value:"28811");
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-12-19-1");

  script_name(english:"Apple Motion < 5.1 OZDocument::parseElement() Function MOTN File Subview Attribute Handling Integer Overflow");
  script_summary(english:"Check the version of Motion");

  script_set_attribute(attribute:"synopsis", value:
"An application on the remote host is affected by an integer overflow
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apple Motion installed on the remote Mac OS X host is
earlier than 5.1.  As such, it reportedly has an integer overflow in
its handling of .motn files that could lead to an out-of-bounds memory
access and, in turn, arbitrary code execution.");
  script_set_attribute(attribute:"see_also", value:"http://seclists.org/bugtraq/2013/Oct/27");
  script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6041");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/530434/30/0/threaded");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apple Motion 5.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-6114");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:motion");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_motion_installed.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "MacOSX/Motion/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/MacOSX/Version")) audit(AUDIT_OS_NOT, "Mac OS X");

get_kb_item_or_exit("MacOSX/Motion/Installed");
path = get_kb_item_or_exit("MacOSX/Motion/Path", exit_code:1);
version = get_kb_item_or_exit("MacOSX/Motion/Version", exit_code:1);

fixed_version = "5.1";

if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_warning(port:0, extra:report);
  }
  else security_warning(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "Apple Motion", version, path);