CVE-2006-0395
published 2006-08-05CVE-2006-0395: The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted…
PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
54.00%
98.9th percentile
The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA
- →Exploit delivers a crafted multipart/appledouble MIME email where the second part is an executable disguised as image/jpeg with x-unix-mode=0755, causing Mail.app to execute it as code instead of displaying it as an image. ↗
- →The malicious email uses a multipart/appledouble Content-Type with an inline Content-Disposition to smuggle an AppleDouble resource fork alongside an executable payload disguised as a .jpg attachment. ↗
- →The AppleDouble resource fork blob contains a hardcoded reference to /Applications/Utilities/Terminal.app (base64-encoded as 'L0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBw'), which can be used as a byte-level signature in email content. ↗
- →The exploit targets Mac OS X 10.5.0 Mail.app; the flaw was patched in 10.4 in March 2007 but reintroduced in 10.5, so detection should focus on unpatched 10.5.0 systems receiving multipart/appledouble emails with executable MIME parts. ↗
- →Attachment file extension is .jpg (randomly named 5 alpha chars + .jpg) but the MIME body contains a Mach-O binary or shell command payload; detect mismatch between image/jpeg MIME type and non-JPEG binary content in email attachments. ↗
- ·The exploit is passive (server-side); it requires the victim to open the malicious email attachment in Mail.app — no active network connection is initiated by the attacker to trigger execution. ↗
- ·Payload connection type is restricted to '-bind -find' (no reverse shells by default), meaning post-exploitation traffic will originate from the victim host outbound or use a bind listener. ↗
- ·The resource fork blob contains a hardcoded placeholder filename 'Heise.jpg' that is substituted at runtime with a random 5-character alpha name; static signatures on 'Heise.jpg' in the blob will only catch unmodified/unpatched Metasploit modules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hg2w-rj9x-ph62: The Download Validation in Mail in Mac OS X 10
ghsa_unreviewed·2022-05-01
CVE-2006-0395 [MEDIUM] GHSA-hg2w-rj9x-ph62: The Download Validation in Mail in Mac OS X 10
The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types.
GHSA
GHSA-9gxh-58f6-h4hh: Mail in Apple Mac OS X Leopard (10
ghsa_unreviewed·2022-05-01·CVSS 5.1
CVE-2007-6165 [MEDIUM] CWE-20 GHSA-9gxh-58f6-h4hh: Mail in Apple Mac OS X Leopard (10
Mail in Apple Mac OS X Leopard (10.5.1) allows user-assisted remote attackers to execute arbitrary code via an AppleDouble attachment containing an apparently-safe file type and script in a resource fork, which does not warn the user that a separate program is going to be executed. NOTE: this is a regression error related to CVE-2006-0395.
No detection rules found.
Exploit-DB
Apple Mail.app - Image Attachment Command Execution (Metasploit)
exploitdb·2011-03-05
CVE-2007-6165 Apple Mail.app - Image Attachment Command Execution (Metasploit)
Apple Mail.app - Image Attachment Command Execution (Metasploit)
---
##
# $Id: mailapp_image_exec.rb 10397 2010-09-20 15:59:46Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mail.app Image Attachment Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in the
Mail.app application shipped with Mac OS X 10.5.0. This flaw was
patched in 10.4 in March of 2007, but reintroduced into the final
release of 10.5.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision: 1039
Exploit-DB
Apple Mac OSX 10.5.x - Mail Arbitrary Code Execution
exploitdb·2007-11-20·CVSS 7.5
CVE-2007-6165 [HIGH] Apple Mac OSX 10.5.x - Mail Arbitrary Code Execution
Apple Mac OSX 10.5.x - Mail Arbitrary Code Execution
---
source: https://www.securityfocus.com/bid/26510/info
Apple Mac OS X is prone to a vulnerability that can allow arbitrary code to run. This issue affects the Mail application when handling email attachments.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. This will compromise the application and possibly the underlying operating system.
This issue affects Mac OS X 10.5.
NOTE: This vulnerability may be related to CVE-2007-0395 documented in BID 16907 (Apple Mac OS X Security Update 2006-001 Multiple Vulnerabilities). Although the issues seem similar in nature, this may not be the very same underlying vulnerability. We will update this BID as more information emerges.
Exploit-DB
Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)
exploitdb·2006-03-01
CVE-2006-0395 Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)
Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mail.app Image Attachment Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in the
Mail.app application shipped with Mac OS X 10.5.0. This flaw was
patched in 10.4 in March of 2007, but reintroduced into the final
release of 10.5.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision$',
'References' =>
[
['CVE', '2006-0395'],
['CV
Metasploit
Mail.app Image Attachment Command Execution
metasploit
Mail.app Image Attachment Command Execution
Mail.app Image Attachment Command Execution
This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5.
No writeups or analysis indexed.
http://docs.info.apple.com/article.html?artnum=303382http://lists.apple.com/archives/client-management/2006/Mar/msg00030.htmlhttp://secunia.com/advisories/19064http://www.osvdb.org/23645http://www.securityfocus.com/bid/16907http://www.us-cert.gov/cas/techalerts/TA06-062A.htmlhttp://www.vupen.com/english/advisories/2006/0791https://exchange.xforce.ibmcloud.com/vulnerabilities/25027http://docs.info.apple.com/article.html?artnum=303382http://lists.apple.com/archives/client-management/2006/Mar/msg00030.htmlhttp://secunia.com/advisories/19064http://www.osvdb.org/23645http://www.securityfocus.com/bid/16907http://www.us-cert.gov/cas/techalerts/TA06-062A.htmlhttp://www.vupen.com/english/advisories/2006/0791https://exchange.xforce.ibmcloud.com/vulnerabilities/25027
2006-08-05
Published