[NEWS] Apple Terminal URIs Vulnerability (2005-005)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/04/05
- Previous message: SecuriTeam: "[NEWS] Mac OS X Server NeST Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 May 2005 19:14:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apple Terminal URIs Vulnerability (2005-005)
------------------------------------------------------------------------
SUMMARY
Mac OS X 10.3 introduced a URI handler called x-man-page: which is handled
by the Terminal. It allows look-up of man pages using URIs on the
following form: x-man-page://command. Two manual pages can be looked in
sequence like this: x-man-page://first/second (this is probably intended
to allow a section to be specified, as well as a page name, e.g.
x-man-page://2/printf).
The x-man-page handler is vulnerable to an attack based on injecting
commands into the user's terminal through terminal escape sequences, since
the input URI is not cleaned from escape sequences, and the man program
echoes commands it cannot find manual pages for to the terminal.
DETAILS
Vulnerable Systems:
* Apple Terminal version 1.4.4 (43)
Immune Systems:
* Apple Terminal version 1.5 (133)
The failure to sanitize the incoming URI can give way to several exploits.
The first prerequisite for a successful attack is that the attacker can
get the victim's system to open a x-man-page: URI containing the escape
sequences. The other requirement is that the user presses enter at least
once in the terminal window that opens. When these conditions are met, it
is possible for the attacker to execute arbitrary commands on the user's
machine, ultimately leading to complete compromise of the current user's
account.
Proof of Concept:
A demonstration of this behavior can be found the the following HTML file:
< html>
< head>
< title>Demonstration of exploit</title>
</head>
< body>
< p>< a href="x-man-page://%1b%5d2%3b%21ls%0a .
%07%1b%5b21t/xclock">This link</a> will
use the < code>x-man-page:</code> handler to display the <
code>xclock</code> man page. When the user
presses enter, the command < code>ls</code> will be executed. This
exploit
does not try to conceal what it is doing — a real attack
could be more stealthy.</p>
</body>
</html>
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1342>
CAN-2005-1342
Patch Availability:
Installing Security Update 2005-005 fixes the problem.
Disclosure Timeline:
* 24.02.05 - Acknowledged receipt of the report.
* 03.05.05 - Apple releases
<http://docs.info.apple.com/article.html?artnum=301528> Security Update
2005-005, addressing the problem.
ADDITIONAL INFORMATION
The information has been provided by <mailto:david@remahl.se> David
Remahl.
The original article can be found at: <http://remahl.se/david/vuln/011/>
http://remahl.se/david/vuln/011/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Mac OS X Server NeST Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
