cbcvebase.
CVE-2006-0395
published 2006-08-05

CVE-2006-0395: The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted…

PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
54.00%
98.9th percentile
The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types.

Affected

3 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemac_os_x_server

Detection & IOCsextracted from sources · hover to see the quote

othermultipart/appledouble
otherapplication/applefile
otherimage/jpeg; x-mac-type=0; x-unix-mode=0755; x-mac-creator=0
path/Applications/Utilities/Terminal.app
filenameHeise.jpg
bytes
AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA
  • Exploit delivers a crafted multipart/appledouble MIME email where the second part is an executable disguised as image/jpeg with x-unix-mode=0755, causing Mail.app to execute it as code instead of displaying it as an image.
  • The malicious email uses a multipart/appledouble Content-Type with an inline Content-Disposition to smuggle an AppleDouble resource fork alongside an executable payload disguised as a .jpg attachment.
  • The AppleDouble resource fork blob contains a hardcoded reference to /Applications/Utilities/Terminal.app (base64-encoded as 'L0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBw'), which can be used as a byte-level signature in email content.
  • The exploit targets Mac OS X 10.5.0 Mail.app; the flaw was patched in 10.4 in March 2007 but reintroduced in 10.5, so detection should focus on unpatched 10.5.0 systems receiving multipart/appledouble emails with executable MIME parts.
  • Attachment file extension is .jpg (randomly named 5 alpha chars + .jpg) but the MIME body contains a Mach-O binary or shell command payload; detect mismatch between image/jpeg MIME type and non-JPEG binary content in email attachments.
  • ·The exploit is passive (server-side); it requires the victim to open the malicious email attachment in Mail.app — no active network connection is initiated by the attacker to trigger execution.
  • ·Payload connection type is restricted to '-bind -find' (no reverse shells by default), meaning post-exploitation traffic will originate from the victim host outbound or use a bind listener.
  • ·The resource fork blob contains a hardcoded placeholder filename 'Heise.jpg' that is substituted at runtime with a random 5-character alpha name; static signatures on 'Heise.jpg' in the blob will only catch unmodified/unpatched Metasploit modules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.