Vulnerabilities > CVE-2014-4377 - Numeric Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
apple
CWE-189
nessus

Summary

Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.

Vulnerable Configurations

Part Description Count
OS
Apple
240

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_9_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.9.x that is prior to version 10.9.5. This update contains several security-related fixes for the following components : - apache_mod_php - Bluetooth - CoreGraphics - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - Libnotify - OpenSSL - QT Media Foundation - ruby Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id77748
    published2014-09-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/77748
    titleMac OS X 10.9.x < 10.9.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(77748);
      script_version("1.9");
      script_cvs_date("Date: 2018/07/14  1:59:36");
    
      script_cve_id(
        "CVE-2013-7345",
        "CVE-2014-0076",
        "CVE-2014-0185",
        "CVE-2014-0195",
        "CVE-2014-0207",
        "CVE-2014-0221",
        "CVE-2014-0224",
        "CVE-2014-0237",
        "CVE-2014-0238",
        "CVE-2014-1391",
        "CVE-2014-1943",
        "CVE-2014-2270",
        "CVE-2014-2525",
        "CVE-2014-3470",
        "CVE-2014-3478",
        "CVE-2014-3479",
        "CVE-2014-3480",
        "CVE-2014-3487",
        "CVE-2014-3515",
        "CVE-2014-3981",
        "CVE-2014-4049",
        "CVE-2014-4350",
        "CVE-2014-4374",
        "CVE-2014-4376",
        "CVE-2014-4377",
        "CVE-2014-4378",
        "CVE-2014-4379",
        "CVE-2014-4381",
        "CVE-2014-4388",
        "CVE-2014-4389",
        "CVE-2014-4390",
        "CVE-2014-4393",
        "CVE-2014-4394",
        "CVE-2014-4395",
        "CVE-2014-4396",
        "CVE-2014-4397",
        "CVE-2014-4398",
        "CVE-2014-4399",
        "CVE-2014-4400",
        "CVE-2014-4401",
        "CVE-2014-4402",
        "CVE-2014-4403",
        "CVE-2014-4416",
        "CVE-2014-4979"
      );
      script_bugtraq_id(
        65596,
        66002,
        66363,
        66406,
        66478,
        67118,
        67759,
        67765,
        67837,
        67898,
        67899,
        67900,
        67901,
        68007,
        68120,
        68237,
        68238,
        68239,
        68241,
        68243,
        68852,
        69888,
        69891,
        69892,
        69893,
        69894,
        69895,
        69896,
        69897,
        69898,
        69901,
        69903,
        69905,
        69906,
        69907,
        69908,
        69910,
        69915,
        69916,
        69921,
        69925,
        69931,
        69948,
        69950
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2014-09-17-3");
    
      script_name(english:"Mac OS X 10.9.x < 10.9.5 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Mac OS X.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.9.x that is prior
    to version 10.9.5. This update contains several security-related fixes
    for the following components :
    
      - apache_mod_php
      - Bluetooth
      - CoreGraphics
      - Foundation
      - Intel Graphics Driver
      - IOAcceleratorFamily
      - IOHIDFamily
      - IOKit
      - Kernel
      - Libnotify
      - OpenSSL
      - QT Media Foundation
      - ruby
    
    Note that successful exploitation of the most serious issues can
    result in arbitrary code execution.");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533483/30/0/threaded");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6443");
      script_set_attribute(attribute:"see_also", value:"http://osdir.com/ml/general/2014-09/msg34124.html");
      script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.9.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/18");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
      script_require_ports("Host/MacOSX/Version", "Host/OS");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    
    match = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9])+)", string:os);
    if (isnull(match)) exit(1, "Failed to parse the Mac OS X version ('" + os + "').");
    
    version = match[1];
    if (!ereg(pattern:"^10\.9([^0-9]|$)", string:version)) audit(AUDIT_OS_NOT, "Mac OS X 10.9", "Mac OS X "+version);
    
    fixed_version = "10.9.5";
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
        {
          report = '\n  Installed version : ' + version +
                   '\n  Fixed version     : ' + fixed_version +
                   '\n';
          security_hole(port:0, extra:report);
        }
        else security_hole(0);
        exit(0);
    }
    else exit(0, "The host is not affected as it is running Mac OS X "+version+".");
    
  • NASL familyMisc.
    NASL idAPPLETV_7_0.NASL
    descriptionAccording to its banner, the remote Apple TV device is a version prior to 7. It is, therefore, affected by multiple vulnerabilities, the most serious of which can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id77822
    published2014-09-24
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77822
    titleApple TV < 7 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(77822);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id(
        "CVE-2011-2391",
        "CVE-2013-6663",
        "CVE-2014-1384",
        "CVE-2014-1385",
        "CVE-2014-1387",
        "CVE-2014-1388",
        "CVE-2014-1389",
        "CVE-2014-4357",
        "CVE-2014-4364",
        "CVE-2014-4369",
        "CVE-2014-4371",
        "CVE-2014-4372",
        "CVE-2014-4373",
        "CVE-2014-4375",
        "CVE-2014-4377",
        "CVE-2014-4378",
        "CVE-2014-4379",
        "CVE-2014-4380",
        "CVE-2014-4381",
        "CVE-2014-4383",
        "CVE-2014-4388",
        "CVE-2014-4389",
        "CVE-2014-4404",
        "CVE-2014-4405",
        "CVE-2014-4407",
        "CVE-2014-4408",
        "CVE-2014-4410",
        "CVE-2014-4411",
        "CVE-2014-4412",
        "CVE-2014-4413",
        "CVE-2014-4414",
        "CVE-2014-4415",
        "CVE-2014-4418",
        "CVE-2014-4419",
        "CVE-2014-4420",
        "CVE-2014-4421",
        "CVE-2014-4422"
      );
      script_bugtraq_id(
        62531,
        65930,
        69223,
        69881,
        69882,
        69903,
        69911,
        69912,
        69913,
        69915,
        69919,
        69921,
        69923,
        69924,
        69927,
        69928,
        69929,
        69930,
        69931,
        69934,
        69938,
        69939,
        69941,
        69942,
        69944,
        69946,
        69947,
        69948,
        69950,
        69966,
        69970,
        69973
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2014-09-17-2");
    
      script_name(english:"Apple TV < 7 Multiple Vulnerabilities");
      script_summary(english:"Checks the version in the banner.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the remote Apple TV device is a version prior
    to 7. It is, therefore, affected by multiple vulnerabilities, the most
    serious of which can result in arbitrary code execution.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT203058");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/533468/30/0/threaded");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple TV 7 or later. Note that this update is only
    available for 3rd generation and later models.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4418");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Mac OS X IOKit Keyboard Driver Root Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/24");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("appletv_detect.nasl");
      script_require_keys("www/appletv");
      script_require_ports(3689);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    get_kb_item_or_exit("www/appletv");
    
    port = 3689;
    banner = get_http_banner(port:port, broken:TRUE, exit_on_fail:TRUE);
    if (
      "DAAP-Server: iTunes/" >!< banner &&
      "RIPT-Server: iTunesLib/" >!< banner
    ) audit(AUDIT_WRONG_WEB_SERVER, port, 'iTunes');
    
    pat = "^DAAP-Server: iTunes/([0-9][0-9.]+)([a-z])([0-9]+) \((Mac )?OS X\)";
    matches = egrep(pattern:pat, string:banner);
    
    if (
      "DAAP-Server: iTunes/" >< banner &&
      !matches
    ) audit(AUDIT_WRONG_WEB_SERVER, port, "iTunes on an Apple TV");
    
    fixed_major = "11.1";
    fixed_char = "b";
    fixed_minor = "37";
    fixed_airtunes_version = "210.98";
    
    report = "";
    
    # Check first for 3rd gen and recent 2nd gen models.
    if (matches)
    {
      foreach line (split(matches, keep:FALSE))
      {
        match = eregmatch(pattern:pat, string:line);
        if (!isnull(match))
        {
          major = match[1];
          char = match[2];
          minor = int(match[3]);
    
          if (
            ver_compare(ver:major, fix:fixed_major, strict:FALSE) < 0 ||
            (
              ver_compare(ver:major, fix:fixed_major, strict:FALSE) == 0 &&
              (
                ord(char) < ord(fixed_char) ||
                (
                  ord(char) == ord(fixed_char) &&
                  minor < fixed_minor
                )
              )
            )
          )
          {
            report = '\n  Source                   : ' + line +
                     '\n  Installed iTunes version : ' + major + char + minor +
                     '\n  Fixed iTunes version     : ' + fixed_major + fixed_char + fixed_minor +
                     '\n';
          }
          else if (major == fixed_major && char == fixed_char && minor == fixed_minor)
          {
            airtunes_port = 5000;
            # nb: 'http_server_header()' exits if it can't get the HTTP banner.
            server_header = http_server_header(port:airtunes_port);
            if (isnull(server_header)) audit(AUDIT_WEB_NO_SERVER_HEADER, airtunes_port);
            if ("AirTunes" >!< server_header)  audit(AUDIT_WRONG_WEB_SERVER, airtunes_port, "AirTunes");
    
            match = eregmatch(string:server_header, pattern:"^AirTunes\/([0-9][0-9.]+)");
            if (!match) audit(AUDIT_UNKNOWN_WEB_SERVER_VER, "AirTunes", airtunes_port);
            airtunes_version = match[1];
    
            if (ver_compare(ver:airtunes_version, fix:fixed_airtunes_version, strict:FALSE) < 0)
            {
              report = '\n  Source                     : ' + server_header +
                       '\n  Installed AirTunes version : ' + airtunes_version +
                       '\n  Fixed AirTunes version     : ' + fixed_airtunes_version +
                       '\n';
            }
            else audit(AUDIT_LISTEN_NOT_VULN, "AirTunes", airtunes_port, airtunes_version);
          }
        }
      }
    }
    else
    {
      pat2 = "^RIPT-Server: iTunesLib/([0-9]+)\.";
      matches = egrep(pattern:pat2, string:banner);
      if (matches)
      {
        foreach line (split(matches, keep:FALSE))
        {
          match = eregmatch(pattern:pat2, string:line);
          if (!isnull(match))
          {
            major = int(match[1]);
            if (major <= 9)
            {
              report = '\n  Source : ' + line +
                       '\n';
            }
            break;
          }
        }
      }
    }
    
    if (report)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:report);
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");