Updated: December 20, 2004
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2003-02-25 Mac OS X 10.2.4 Server
Mac OS X 10.2.4 Server Software Update is now available. It contains
fixes for
the following potential security issues:
* QuickTime Streaming Server: Fixes CAN-2003-0050 QTSS Arbitrary command
execution. The QuickTime Streaming Administration Server relies on the
parse_xml.cgi application to authenticate and interface with the user.
This CGI
can pass unvalidated input which could allow a remote attacker to
execute
arbitrary code on the server and to gain root privileges. Credit to
Dave G.
from @stake, Inc. for finding this vulnerability.
* QuickTime Streaming Server: Fixes CAN-2003-0051 QTSS Physical path
revelation.
The QuickTime Streaming Administration Server relies on the
parse_xml.cgi
application to authenticate and interface with the user. This CGI
could be used
to reveal the physical path upon which the Darwin/Quicktime
Administration
Servers are installed within. Credit to @stake, Inc. for finding this
vulnerability.
* QuickTime Streaming Server: Fixes CAN-2003-0052 QTSS Directory
listings. The
QuickTime Streaming Administration Server relies on the parse_xml.cgi
application to authenticate and interface with the user. This CGI
could be used
to reveal arbitrary directory listings due to the lack of user input
validation
within the application. Credit to Ollie Whitehouse from @stake, Inc.
for
finding this vulnerability.
* QuickTime Streaming Server: Fixes CAN-2003-0053 QTSS Login
credentials. The
QuickTime Streaming Administration Server relies on the parse_xml.cgi
application to authenticate and interface with the user. A
vulnerability in the
handling of error messages from this CGI could be used in a cross-site
scripting
attack to gain valid login credentials. Credit to Ollie Whitehouse
from @stake,
Inc. for finding this vulnerability.
* QuickTime Streaming Server: Fixes CAN-2003-0054 Arbitrary command
execution
when viewing QTSS logs. If an unauthenticated user of QuickTime
Streaming Server
makes a request to the streaming port, the request is then written to
the log
file. It is possible to craft the request such that arbitrary code can
be
executed when the logs are viewed by the system administrator via a
browser.
Credit to Ollie Whitehouse from @stake, Inc. for finding this
vulnerability.
* QuickTime Streaming Server: Fixes CAN-2003-0055 Buffer overflow in MP3
Broadcasting application. There is a buffer overflow in the stand-alone
MP3Broadcaster application. An MP3 file which has a filename of over
256 bytes
will cause a buffer overflow to occur. This could be used by local/ftp
users to
obtain elevated privileges. Credit to Ollie Whitehouse from @stake,
Inc. for
finding this vulnerability.
* Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before
8.12.5, when
configured to use a custom DNS map to query TXT records, could permit a
denial
of service attack and possibly allow execution of arbitrary code. Mac
OS X
10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also
address
CAN-2002-1165 .
* AFP: Fixes CAN-2003-0049 "AFP login permissions for the system
administrator". Provides an option whereby a system administrator may
or may
not be allowed to log in as a user, authenticating via their admin
password.
Previously, administrators could always log in as a user,
authenticating via
their own admin password.
* Classic: Fixes CAN-2003-0088 , where an attacker may change an
environment
variable to create arbitrary files or overwrite existing files, which
could lead
to obtaining elevated privileges. Credit to Dave G. from @stake, Inc.
for
discovering this issue.
* Samba: Previous releases of Mac OS X are not vulnerable to
CAN-2002-1318 , an
issue in Samba's length checking for encrypted password changes. Mac
OS X
currently uses Directory Services for authentication, and does not call
the
vulnerable Samba function. However, to prevent a potential future
exploit via
this function, the patch from Samba 2.2.7 was applied although the
version of
Samba was not changed for this update release. Further information is
available
from: http://samba.org/samba/whatsnew/samba-2.2.7.html
* Integrated WebDAV Digest Authentication: The mod_digest_apple Apache
module
has been added to more easily enable digest authentication for an
existing
WebDAV realm. This eliminates the need to maintain a separate digest
file
containing the list of authorized users, passwords, and realms.
mod_digest_apple works in coordination with Open Directory for user
authentication. For further details, open the Help Viewer after
installing Mac
OS X Server version 10.2.4, select Mac OS X Server Help in the drawer,
and
search for "New: Enabling Integrated WebDAV Digest Authentication."
Mac OS X 10.2.4 Server Software Update may be obtained from:
* Software Update pane in System Preferences
- OR -
* Apple's Software Downloads web site:
Updating from Mac OS X Server 10.2.3:
http://www.info.apple.com/kbnum/n70171
The download file is named: "MacOSXServerUpdate10.2.4.dmg"
Its SHA-1 digest is: 65d6411dbe5855e894c5406ac35228f568240f26
Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2:
http://www.info.apple.com/kbnum/n70172
The download file is named: "MacOSXSrvrUpdCombo10.2.4.dmg"
Its SHA-1 digest is: 41e441d737165ed0ed5166691dc39caba5e1dbce
Information is also posted to the Apple Support web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key, and
details are
available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPlurUCFlYNdE6F9oAQGy0AgAlUiHPrjpL+GLCn7LKAYyKQLZkog6bK2O
IIvTVhx8UYycQT6a6ykglJqnNu2bDfil67IkvaaQJXlUgNP/S6KRYK3vgZWMO3f4
318RaUlfXES9eQZLS1HI5yIkJvvoeUko9or9+0rr7L8xoOfDDUTukAAKZqIPme8d
XQ/tAWzVNUd/qGxXfAzj6fExWPt/dMm98aSNf0ZeCH4cpqs6EjgR9wYONjtXBWUO
7rKY7/bhKVNIFfmtJxsfNv715yEAg0bi5Z/fIAth5Up8Z2OoQbM3fGtap05KTEEz
u3b1KLoQeLyRwTGgT4aoMAAbn/9gNw32kDA35rB/JWvDC39EezlqpQ==
=Tp5B
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.