Mac OS X : iWork 9.x < 9.1 Multiple Vulnerabilities

2011-07-26T00:00:00
ID MACOSX_IWORK_9_1.NASL
Type nessus
Reporter Tenable
Modified 2018-07-14T00:00:00

Description

The version of iWork 9.x installed on the remote Mac OS X host is earlier than 9.1. As such, it is potentially affected by several vulnerabilities :

  • A buffer overflow in iWork's handling of Excel files in Numbers may lead to an application crash or arbitrary code execution. (CVE-2010-3785)

  • A memory corruption issue in iWork's handling of Excel files in Numbers may lead to an application crash or arbitrary code execution. (CVE-2010-3786)

  • A memory corruption issue in iWork's handling of Microsoft Word files in Pages may lead to an application crash or arbitrary code execution. (CVE-2011-1417)

                                        
                                            #TRUSTED 48b1f25967702b1caba691082704e2d68f6fee7b45f96fa737885b79dc1eaa4e3fea2facb57fecfbd2013eaecf94c3fa70141957ce5127f719f87813d7c8636f8f5bad0b1b22dc8f0224d695ddfec37ba254a6059663a99eb39020dfb498ba1c2d8644a603c72dad70389a0907b41122cf921f584dda7e36ca98a2de2e35edd1c3b34077b4cf3f4e657eed686a5711a8977d68e8073eb79d1668c2b2bb99087b654c8dd5bb1af9ee843c4aa916c51c8427e8eca1e39091498218a3c5a913fa4944264cf314407a2991c21cc9de1428fcaddda23083224fcb28f1a26401c53bd18f900bb7d4e8c8fdc2ea03608245c7ba9cc1c448e06234acf1563dc73f8b5f10aff25f316e0856389502452557895175187679eec0f4f42ffa96e07f21edbb6ad55336d299e909c9797bfcdea610b3936479f15d3e846de1b2e83dff8f029e38fbaa41bb4edc76b834a17ab55ee8278a36d2002a8335b505232a033d03d801bfce1ebac724d901f0ebe0c80859b9e52474a34d14d162c3baa1a878376c5526ee00173fc0c2d426087b0fef8b2d7d1f9388d7089aae4b4ff685cf1ed2dfd9c6e15826faef13bd0f22c7de1b5d184fe5702207bad8a911b1a60ebc7b3e6ab968b07509d495bb97e36663a9b308eda97547ddfa3d68447ecafacbe74d8df2b2b1eedfda882591e1cbe5addc7550c3114448c821495919e529b0700bcd1d3764128c
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);


include("compat.inc");


if (description)
{
  script_id(55693);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");

  script_cve_id("CVE-2010-3785", "CVE-2010-3786", "CVE-2011-1417");
  script_bugtraq_id(44799, 44812, 46832);

  script_name(english:"Mac OS X : iWork 9.x < 9.1 Multiple Vulnerabilities");
  script_summary(english:"Check the installed version of Numbers");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host contains an office suite that is affected by several
vulnerabilities."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The version of iWork 9.x installed on the remote Mac OS X host is
earlier than 9.1. As such, it is potentially affected by several
vulnerabilities :

  - A buffer overflow in iWork's handling of Excel files in
    Numbers may lead to an application crash or arbitrary 
    code execution. (CVE-2010-3785)

  - A memory corruption issue in iWork's handling of Excel 
    files in Numbers may lead to an application crash or 
    arbitrary code execution. (CVE-2010-3786)

  - A memory corruption issue in iWork's handling of 
    Microsoft Word files in Pages may lead to an 
    application crash or arbitrary code execution.
    (CVE-2011-1417)"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT4830"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://lists.apple.com/archives/security-announce/2011/Jul/msg00003.html"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.securityfocus.com/archive/1/518976/30/0/threaded"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Apply the iWork 9.1 Update and verify the installed version of 
Numbers is 2.1 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
 
  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
 
  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages", "Host/MacOSX/packages/boms");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");


os = get_kb_item("Host/MacOSX/Version");
if (!os) exit(0, "The host does not appear to be running Mac OS X.");


# Check list of package to ensure that iWork 9.x is installed.
boms = get_kb_item("Host/MacOSX/packages/boms");
packages = get_kb_item("Host/MacOSX/packages");
if (boms)
{
  if ("pkg.iWork09" >!< boms) exit(0, "iWork 9.x is not installed.");
}
# nb: iWork up to 9.0.5 is available for 10.4 so we need to be sure we
#     identify installs of that. The 9.1 Update does not, though, work on it.
else if (packages)
{
  if (!egrep(pattern:"^iWork ?09", string:packages)) exit(0, "iWork 9.x is not installed.");
}
if (!boms && !packages) exit(1, "Failed to list installed packages / boms.");


# Check for the update or a later one.
if (
  boms &&
  egrep(pattern:"^com\.apple\.pkg\.iWork_9[1-9][0-9]*_Update", string:boms)
) exit(0, "The host has the iWork 9.1 Update or later installed and therefore is not affected.");


# Let's make sure the version of the Numbers app indicates it's affected.
path = '/Applications/iWork \'09/Numbers.app';
plist = path + '/Contents/Info.plist';
cmd =  'cat "' + plist + '" | ' +
  'grep -A 1 CFBundleShortVersionString | ' +
  'tail -n 1 | ' +
  'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec_cmd(cmd:cmd);
if (!strlen(version)) exit(1, "Failed to get the version of Numbers.");

version = chomp(version);
if (!ereg(pattern:"^[0-9]+\.", string:version)) exit(1, "The Numbers version does not appear to be numeric ("+version+").");

ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (ver[0] == 2 && ver[1] < 1)
{
  if (report_verbosity > 0)
  {
    report = 
      '\n  Path                         : ' + path + 
      '\n  Installed version of Numbers : ' + version + 
      '\n  Fixed version of Numbers     : 2.1\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
}
else exit(0, "The host is not affected since Numbers " + version + " is installed.");