ID OSVDB:18775 Type osvdb Reporter OSVDB Modified 2005-08-16T23:51:27
Description
Vulnerability Description
A local overflow exists in Mac OS X. The AppKit fails to validate Microsoft Word .doc files resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Technical Description
This flaw exists only within AppKit and applications like TextEdit which rely on AppKit. Microsoft Word is not affected.
Solution Description
Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.
Short Description
A local overflow exists in Mac OS X. The AppKit fails to validate Microsoft Word .doc files resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
{"type": "osvdb", "published": "2005-08-16T23:51:27", "href": "https://vulners.com/osvdb/OSVDB:18775", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 5.1}, "viewCount": 0, "edition": 1, "reporter": "OSVDB", "title": "Mac OS X AppKit Word Document Overflow", "affectedSoftware": [{"operator": "eq", "version": "10.4.2", "name": "Mac OS X"}, {"operator": "eq", "version": "10.4.1", "name": "Mac OS X"}, {"operator": "eq", "version": "10.3.x", "name": "Mac OS X"}, {"operator": "eq", "version": "10.4", "name": "Mac OS X"}], "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2017-04-28T13:20:15", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2502"]}, {"type": "cert", "idList": ["VU:172948"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9500"]}, {"type": "nessus", "idList": ["MACOSX_SECUPD2005-007.NASL"]}], "modified": "2017-04-28T13:20:15", "rev": 2}, "vulnersScore": 6.8}, "references": [], "id": "OSVDB:18775", "lastseen": "2017-04-28T13:20:15", "cvelist": ["CVE-2005-2502"], "modified": "2005-08-16T23:51:27", "description": "## Vulnerability Description\nA local overflow exists in Mac OS X. The AppKit fails to validate Microsoft Word .doc files resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nThis flaw exists only within AppKit and applications like TextEdit which rely on AppKit. Microsoft Word is not affected.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.\n## Short Description\nA local overflow exists in Mac OS X. The AppKit fails to validate Microsoft Word .doc files resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=302163)\nSecurity Tracker: 1014695\n[Secunia Advisory ID:16449](https://secuniaresearch.flexerasoftware.com/advisories/16449/)\nISS X-Force ID: 21863\n[CVE-2005-2502](https://vulners.com/cve/CVE-2005-2502)\nBugtraq ID: 11802\n"}
{"cve": [{"lastseen": "2020-10-03T11:34:55", "description": "Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2, as used in applications such as TextEdit, allows external user-assisted attackers to execute arbitrary code via a crafted Microsoft Word file.", "edition": 3, "cvss3": {}, "published": "2005-08-19T04:00:00", "title": "CVE-2005-2502", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-2502"], "modified": "2008-09-10T19:42:00", "cpe": ["cpe:/o:apple:mac_os_x_server:10.4.2", "cpe:/o:apple:mac_os_x:10.3.9", "cpe:/o:apple:mac_os_x:10.4.2", "cpe:/o:apple:mac_os_x_server:10.3.9"], "id": "CVE-2005-2502", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2502", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x_server:10.3.9:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.3.9:*:*:*:*:*:*:*"]}], "cert": [{"lastseen": "2020-09-18T20:43:23", "bulletinFamily": "info", "cvelist": ["CVE-2005-2502"], "description": "### Overview \n\nA buffer overflow vulnerability exists in a component of Apple's Mac OS X operating system that handles Microsoft Word files.\n\n### Description \n\nThe Cocoa Application Framework (also referred to as the Application Kit, or AppKit) is one of the core Cocoa frameworks supplied with Apple's Mac OS X operating system. It provides functionality and associated Application Program Interfaces (APIs) for applications, including objects for graphical user interfaces (GUIs), event-handling mechanisms, application services, and drawing and image composition facilities.\n\nA buffer overflow exists in the AppKit component designed to handle Microsoft Word (`.doc`) files. Apple notes in its [security advisory](<http://docs.info.apple.com/article.html?artnum=302163>) that this vulnerability only affects applications that use AppKit (such as TextEdit) and that Microsoft Word for Mac OS X is not vulnerable. A maliciously crafted `.doc` file could be used to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Impact \n\nAn attacker with the ability to supply a maliciously crafted Microsoft Word `.doc` file could execute arbitrary code on a vulnerable system. The attacker-supplied code would be executed with the privileges of the user opening the malicious file. \n \n--- \n \n### Solution \n\n**Apply a patch** \n \nApple has released a patch to address this issue and other security issues in [Security Update 2005-007](<http://docs.info.apple.com/article.html?artnum=302163>). Users are encouraged to apply the patches from this update. \n \n--- \n \n### Vendor Information\n\n172948\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer, Inc. __ Affected\n\nUpdated: August 17, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nApple has released a patch to address this issue and other security issues in [Security Update 2005-007](<http://docs.info.apple.com/article.html?artnum=302163>). Users are encouraged to apply the patches from this update.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23172948 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://secunia.com/advisories/16449/>\n * <http://www.auscert.org.au/5391>\n * <http://www.ciac.org/ciac/bulletins/p-276.shtml>\n\n### Acknowledgements\n\nThanks to Apple Product Security for reporting this vulnerability.\n\nThis document was written by Chad Dougherty based on information supplied by Apple.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-2502](<http://web.nvd.nist.gov/vuln/detail/CVE-2005-2502>) \n---|--- \n**Severity Metric:** | 15.49 \n**Date Public:** | 2005-08-15 \n**Date First Published:** | 2005-08-17 \n**Date Last Updated: ** | 2005-08-17 17:47 UTC \n**Document Revision: ** | 12 \n", "modified": "2005-08-17T17:47:00", "published": "2005-08-17T00:00:00", "id": "VU:172948", "href": "https://www.kb.cert.org/vuls/id/172948", "type": "cert", "title": "Apple Mac OS X AppKit vulnerable to buffer overflow via maliciously crafted Microsoft Word files", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "cvelist": ["CVE-2005-2502", "CVE-2005-2507", "CVE-2005-2522", "CVE-2005-2516", "CVE-2005-2518", "CVE-2005-2501"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n National Cyber Alert System\r\n\r\n Technical Cyber Security Alert TA05-229A \r\n\r\n\r\nApple Mac Products are Affected by Multiple Vulnerabilities\r\n\r\n Original release date: August 17, 2005\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n * Apple Mac OS X version 10.3.9 (Panther) and version 10.4.2 (Tiger)\r\n * Apple Mac OS X Server version 10.3.9 and version 10.4.2\r\n * Apple Safari web browser\r\n\r\n Please see Apple Security Update 2005-007 for further information.\r\n\r\n\r\nOverview\r\n\r\n Apple has released Security Update 2005-007 to address multiple\r\n vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web\r\n browser, and other products. The most serious of these vulnerabilities\r\n may allow a remote attacker to execute arbitrary code. Impacts of\r\n other vulnerabilities include bypassing security restrictions and\r\n denial of service.\r\n\r\n\r\nI. Description\r\n\r\n Apple Security Update 2005-007 resolves a number of vulnerabilities\r\n affecting Mac OS X, OS X Server, Safari web browser, and other\r\n products. Further details are available in the following Vulnerability\r\n Notes:\r\n\r\n VU#913820 - Apple Mac OS X Directory Services contains a buffer\r\n overflow\r\n\r\n A buffer overflow in Apple Mac OS X Directory Service's authentication\r\n process may allow a remote, unauthenticated attacker to execute\r\n arbitrary code on a vulnerable system.\r\n (CAN-2005-2507)\r\n\r\n VU#461412 - Apple Mac OS X Server servermgrd authentication vulnerable\r\n to buffer overflow\r\n\r\n Apple Mac OS X Server servermgrd contains an unspecified buffer\r\n overflow vulnerability in its authentication handling routines. This\r\n vulnerability may lead to remote execution of arbitrary code.\r\n (CAN-2005-2518)\r\n\r\n VU#435188 - Apple Mac OS X AppKit vulnerable to buffer overflow via\r\n the handling of maliciously crafted rich text files\r\n\r\n A buffer overflow vulnerability exists in a component of Apple's Mac\r\n OS X operating system that handles rich text files.\r\n (CAN-2005-2501)\r\n\r\n VU#172948 - Apple Mac OS X AppKit vulnerable to buffer overflow via\r\n maliciously crafted Microsoft Word files\r\n\r\n A buffer overflow vulnerability exists in a component of Apple's Mac\r\n OS X operating system that handles Microsoft Word files.\r\n (CAN-2005-2502)\r\n\r\n VU#420316 - Apple Mac OS X Safari vulnerable to arbitrary command\r\n execution via URLs in PDF files\r\n\r\n Apple Mac OS X WebKit and Safari security controls may be bypassed,\r\n possibly allowing remote command execution.\r\n (CAN-2005-2522)\r\n\r\n VU#709220 - Apple Safari fails to perform security checks on links in\r\n rich text content\r\n\r\n Apple Safari fails to perform security checks on hyperlinks in rich\r\n text content, which may allow an attacker to execute arbitrary\r\n commands on a vulnerable system.\r\n (CAN-2005-2516)\r\n\r\n Please note that Apple Security Update 2005-007 addresses\r\n additional vulnerabilities not described above. As further\r\n information becomes available, we will publish individual\r\n Vulnerability Notes.\r\n\r\n\r\nII. Impact\r\n\r\n The impacts of these vulnerabilities vary. For information about\r\n specific impacts please see the Vulnerability Notes. Potential\r\n consequences include remote execution of arbitrary code or commands,\r\n bypass of security restrictions, and denial of service.\r\n\r\n\r\nIII. Solution\r\n\r\nInstall an update\r\n\r\n Install the update as described in Apple Security Update 2005-007. In\r\n addition, this update is available via Apple Update.\r\n\r\n\r\nAppendix A. References\r\n\r\n * US-CERT Vulnerability Note VU#913820 -\r\n <http://www.kb.cert.org/vuls/id/913820>\r\n\r\n * US-CERT Vulnerability Note VU#461412 -\r\n <http://www.kb.cert.org/vuls/id/461412>\r\n\r\n * US-CERT Vulnerability Note VU#435188 -\r\n <http://www.kb.cert.org/vuls/id/435188>\r\n\r\n * US-CERT Vulnerability Note VU#172948 -\r\n <http://www.kb.cert.org/vuls/id/172948>\r\n\r\n * US-CERT Vulnerability Note VU#420316 -\r\n <http://www.kb.cert.org/vuls/id/420316>\r\n\r\n * US-CERT Vulnerability Note VU#709220 -\r\n <http://www.kb.cert.org/vuls/id/709220>\r\n\r\n * Apple Security Update 2005-007 -\r\n <http://docs.info.apple.com/article.html?artnum=302163>\r\n\r\n * Mac OS X: Updating your software -\r\n <http://docs.info.apple.com/article.html?artnum=106704>\r\n\r\n\r\n ____________________________________________________________________\r\n\r\n The most recent version of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA05-229A.html>\r\n ____________________________________________________________________\r\n\r\n Feedback can be directed to US-CERT. Please send email to\r\n <cert@cert.org> with "TA05-229A Feedback VU#913820" in the subject.\r\n ____________________________________________________________________\r\n\r\n Mailing list information:\r\n\r\n <http://www.us-cert.gov/cas/>\r\n ____________________________________________________________________\r\n\r\n Produced 2005 by US-CERT, a government organization.\r\n\r\n Terms of use:\r\n\r\n <http://www.us-cert.gov/legal.html>\r\n ____________________________________________________________________\r\n\r\n\r\nRevision History\r\n\r\n August 17, 2005: Initial release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niQEVAwUBQwOKkRhoSezw4YfQAQLxywgAkWTcoA3KoWAiY5YYPGejCVbWw/yFzAqy\r\n4Fb0z9WXfwhwB3/L/IxLvJGhPdVF/b6buP/KZgIxalwsRu6GPjJp5Aj+Cbtf/8KI\r\n2ca0bRxS3vZJS52ZOEVpS2Z2M8JdcBA2CgfvIw6GEklXD9MTjXXwYUhB6tYK4Ar0\r\n+UAk6xxaaMRvKztOYbRZhy5/5Kz2Xd9a5UwO/hbojQmilv4elW3iZhGWP+nLEpSI\r\nD680yttkY++UzmYGYHO0Wm+SAK4fzXKxs/4PMfWvNgP8lKJsHXjjr7KLFtmgCiWU\r\noxhOB8RdqVNTKE2kYEq1kiopusBtwK/x35VNr3uCjg23CxYuv8HAjw==\r\n=yJpi\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2005-08-18T00:00:00", "published": "2005-08-18T00:00:00", "id": "SECURITYVULNS:DOC:9500", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9500", "title": "US-CERT Technical Cyber Security Alert TA05-229A -- Apple Mac Products are Affected by Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-01T03:25:06", "description": "The remote host is running a version of Mac OS X 10.4 or 10.3 that\ndoes not have Security Update 2005-007 applied.\n\nThis security update contains fixes for the following products :\n\n - Apache 2\n - AppKit\n - Bluetooth\n - CoreFoundation\n - CUPS\n - Directory Services\n - HItoolbox\n - Kerberos\n - loginwindow\n - Mail\n - MySQL\n - OpenSSL\n - QuartzComposerScreenSaver\n - ping\n - Safari\n - SecurityInterface\n - servermgrd\n - servermgr_ipfilter\n - SquirelMail\n - traceroute\n - WebKit\n - WebLog Server\n - X11\n - zlib", "edition": 23, "published": "2005-08-18T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2005-007)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2526", "CVE-2005-2506", "CVE-2005-2509", "CVE-2005-2502", "CVE-2005-2519", "CVE-2005-0605", "CVE-2005-1849", "CVE-2005-0711", "CVE-2005-2523", "CVE-2005-1689", "CVE-2005-2520", "CVE-2005-2524", "CVE-2005-2504", "CVE-2005-2514", "CVE-2004-0885", "CVE-2004-0112", "CVE-2005-2510", "CVE-2005-1174", "CVE-2004-0942", "CVE-2005-2513", "CVE-2005-0709", "CVE-2004-1084", "CVE-2004-0079", "CVE-2005-2507", "CVE-2005-2522", "CVE-2005-2515", "CVE-2005-2745", "CVE-2005-2508", "CVE-2005-2503", "CVE-2005-2521", "CVE-2005-2095", "CVE-2005-1344", "CVE-2005-2096", "CVE-2005-0710", "CVE-2005-2516", "CVE-2005-1175", "CVE-2005-1769", "CVE-2005-2511", "CVE-2004-1189", "CVE-2004-1083", "CVE-2005-2512", "CVE-2005-2525", "CVE-2005-2505", "CVE-2005-2517", "CVE-2005-2518", "CVE-2005-2501"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2005-007.NASL", "href": "https://www.tenable.com/plugins/nessus/19463", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\nif (NASL_LEVEL < 3004) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(19463);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\"CVE-2005-1344\", \"CVE-2004-0942\", \"CVE-2004-0885\", \"CVE-2004-1083\", \"CVE-2004-1084\",\n \"CVE-2005-2501\", \"CVE-2005-2502\", \"CVE-2005-2503\", \"CVE-2005-2504\", \"CVE-2005-2505\",\n \"CVE-2005-2506\", \"CVE-2005-2525\", \"CVE-2005-2526\", \"CVE-2005-2507\", \"CVE-2005-2508\",\n \"CVE-2005-2519\", \"CVE-2005-2513\", \"CVE-2004-1189\", \"CVE-2005-1174\", \"CVE-2005-1175\",\n \"CVE-2005-1689\", \"CVE-2005-2511\", \"CVE-2005-2509\", \"CVE-2005-2512\", \"CVE-2005-2745\",\n \"CVE-2005-0709\", \"CVE-2005-0710\", \"CVE-2005-0711\", \"CVE-2004-0079\", \"CVE-2004-0112\",\n \"CVE-2005-2514\", \"CVE-2005-2515\", \"CVE-2005-2516\", \"CVE-2005-2517\", \"CVE-2005-2524\",\n \"CVE-2005-2520\", \"CVE-2005-2518\", \"CVE-2005-2510\", \"CVE-2005-1769\", \"CVE-2005-2095\",\n \"CVE-2005-2521\", \"CVE-2005-2522\", \"CVE-2005-2523\", \"CVE-2005-0605\", \"CVE-2005-2096\",\n \"CVE-2005-1849\");\n script_bugtraq_id(14567, 14569);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2005-007)\");\n script_summary(english:\"Check for Security Update 2005-007\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes various\nsecurity issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4 or 10.3 that\ndoes not have Security Update 2005-007 applied.\n\nThis security update contains fixes for the following products :\n\n - Apache 2\n - AppKit\n - Bluetooth\n - CoreFoundation\n - CUPS\n - Directory Services\n - HItoolbox\n - Kerberos\n - loginwindow\n - Mail\n - MySQL\n - OpenSSL\n - QuartzComposerScreenSaver\n - ping\n - Safari\n - SecurityInterface\n - servermgrd\n - servermgr_ipfilter\n - SquirelMail\n - traceroute\n - WebKit\n - WebLog Server\n - X11\n - zlib\" );\n # http://web.archive.org/web/20060406190355/http://docs.info.apple.com/article.html?artnum=302163\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.nessus.org/u?74ffa359\"\n );\n script_set_attribute(attribute:\"solution\", value:\n\"!Install Security Update 2005-007.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/08/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2005/08/12\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n#\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\n\nuname = get_kb_item(\"Host/uname\");\n# MacOS X 10.4.2\nif ( egrep(pattern:\"Darwin.* (7\\.[0-9]\\.|8\\.2\\.)\", string:uname) )\n{\n if (!egrep(pattern:\"^SecUpd(Srvr)?2005-007\", string:packages)) security_hole(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
