Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0127 -- Apple Security Advisory APPLE-SA-2003-02-25 Mac OS X 10.2.4 Server 27 February 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: QuickTime Streaming Server Sendmail AFP Classic Samba Integrated WebDAV Digest Authentication Vendor: Apple Operating System: Mac OS X Impact: Root Compromise Execute Arbitrary Code/Commands Denial of Service Provide Misleading Information Read-only Data Access Access Required: Remote Ref: ESB-2003.0122 Comment: CVE Id: CAN-2003-0050, CAN-2003-0052, CAN-2003-0053, CAN-2003-0054, CAN-2003-0055, CAN-2002-0906, CAN-2003-0049, CAN-2003-0088 Apple's PGP signature was bad, however AusCERT have verified the contents of the message. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- APPLE-SA-2003-02-25 Mac OS X 10.2.4 Server Mac OS X 10.2.4 Server Software Update is now available. It contains fixes for the following potential security issues: * QuickTime Streaming Server: Fixes CAN-2003-0050 QTSS Arbitrary command execution. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI can pass unvalidated input which could allow a remote attacker to execute arbitrary code on the server and to gain root privileges. Credit to Dave G. from @stake, Inc. for finding this vulnerability. * QuickTime Streaming Server: Fixes CAN-2003-0051 QTSS Physical path revelation. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI could be used to reveal the physical path upon which the Darwin/Quicktime Administration Servers are installed within. Credit to @stake, Inc. for finding this vulnerability. * QuickTime Streaming Server: Fixes CAN-2003-0052 QTSS Directory listings. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. This CGI could be used to reveal arbitrary directory listings due to the lack of user input validation within the application. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability. * QuickTime Streaming Server: Fixes CAN-2003-0053 QTSS Login credentials. The QuickTime Streaming Administration Server relies on the parse_xml.cgi application to authenticate and interface with the user. A vulnerability in the handling of error messages from this CGI could be used in a cross-site scripting attack to gain valid login credentials. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability. * QuickTime Streaming Server: Fixes CAN-2003-0054 Arbitrary command execution when viewing QTSS logs. If an unauthenticated user of QuickTime Streaming Server makes a request to the streaming port, the request is then written to the log file. It is possible to craft the request such that arbitrary code can be executed when the logs are viewed by the system administrator via a browser. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability. * QuickTime Streaming Server: Fixes CAN-2003-0055 Buffer overflow in MP3 Broadcasting application. There is a buffer overflow in the stand-alone MP3Broadcaster application. An MP3 file which has a filename of over 256 bytes will cause a buffer overflow to occur. This could be used by local/ftp users to obtain elevated privileges. Credit to Ollie Whitehouse from @stake, Inc. for finding this vulnerability. * Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, could permit a denial of service attack and possibly allow execution of arbitrary code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address CAN-2002-1165 . * AFP: Fixes CAN-2003-0049 "AFP login permissions for the system administrator". Provides an option whereby a system administrator may or may not be allowed to log in as a user, authenticating via their admin password. Previously, administrators could always log in as a user, authenticating via their own admin password. * Classic: Fixes CAN-2003-0088 , where an attacker may change an environment variable to create arbitrary files or overwrite existing files, which could lead to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for discovering this issue. * Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318 , an issue in Samba's length checking for encrypted password changes. Mac OS X currently uses Directory Services for authentication, and does not call the vulnerable Samba function. However, to prevent a potential future exploit via this function, the patch from Samba 2.2.7 was applied although the version of Samba was not changed for this update release. Further information is available from: http://samba.org/samba/whatsnew/samba-2.2.7.html * Integrated WebDAV Digest Authentication: The mod_digest_apple Apache module has been added to more easily enable digest authentication for an existing WebDAV realm. This eliminates the need to maintain a separate digest file containing the list of authorized users, passwords, and realms. mod_digest_apple works in coordination with Open Directory for user authentication. For further details, open the Help Viewer after installing Mac OS X Server version 10.2.4, select Mac OS X Server Help in the drawer, and search for "New: Enabling Integrated WebDAV Digest Authentication." Mac OS X 10.2.4 Server Software Update may be obtained from: * Software Update pane in System Preferences - OR - * Apple's Software Downloads web site: Updating from Mac OS X Server 10.2.3: http://www.info.apple.com/kbnum/n70171 The download file is named: "MacOSXServerUpdate10.2.4.dmg" Its SHA-1 digest is: 65d6411dbe5855e894c5406ac35228f568240f26 Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2: http://www.info.apple.com/kbnum/n70172 The download file is named: "MacOSXSrvrUpdCombo10.2.4.dmg" Its SHA-1 digest is: 41e441d737165ed0ed5166691dc39caba5e1dbce Information is also posted to the Apple Support web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html - -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPlurUCFlYNdE6F9oAQGy0AgAlUiHPrjpL+GLCn7LKAYyKQLZkog6bK2O IIvTVhx8UYycQT6a6ykglJqnNu2bDfil67IkvaaQJXlUgNP/S6KRYK3vgZWMO3f4 318RaUlfXES9eQZLS1HI5yIkJvvoeUko9or9+0rr7L8xoOfDDUTukAAKZqIPme8d XQ/tAWzVNUd/qGxXfAzj6fExWPt/dMm98aSNf0ZeCH4cpqs6EjgR9wYONjtXBWUO 7rKY7/bhKVNIFfmtJxsfNv715yEAg0bi5Z/fIAth5Up8Z2OoQbM3fGtap05KTEEz u3b1KLoQeLyRwTGgT4aoMAAbn/9gNw32kDA35rB/JWvDC39EezlqpQ== =Tp5B - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPl4kFCh9+71yA2DNAQF6ogP+MkTUORf3IuJZcYWwPBp5rylcoVUNRdt/ +CzdDzYgTtQ6Ms7sxLxfkUhIWGCdyT6d5QIYYfNM5YgyVUh+3ttg21zcgAWBNfoF fadt3Lgy58XsGR21uYQJxD4s8A6lISh5/XEpt96TAyY/Nh4HMRrRwtXWsPW98Cge GqR7HOAZXU0= =B+NO -----END PGP SIGNATURE-----