CVE-2007-0197
published 2007-01-11CVE-2007-0197: Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume…
PriorityP432medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
8.07%
94.1th percentile
Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →A DMG disk image with a volume name of 255 randomly generated characters (maximum length) is used to trigger memory corruption in Finder 10.4.6 on Mac OS X 10.4.8. ↗
- →The volume name length field within the DMG file is located at offset 0x9c10 and can be inspected to detect abnormally long volume names indicative of exploitation attempts. ↗
- →Exploit crafts a UFS-formatted DMG image; monitor for hdiutil invocations creating DMG files with excessively long -volname arguments (approaching or at 255 characters). ↗
- →Memory corruption in Finder triggered by opening a DMG with a long volume name; monitor Finder process for crashes or unexpected code execution when mounting DMG files from remote/untrusted sources. ↗
- ·This is a PoC (Proof of Concept) exploit; the DMG volume name is randomly generated each run (255 random alphanumeric characters), so there is no fixed payload string to match on — detection must focus on volume name length rather than content. ↗
- ·Vulnerability is specific to Finder 10.4.6 on Apple Mac OS X 10.4.8; other versions are not confirmed affected by this CVE. ↗
- ·Attack is user-assisted, meaning the victim must open/mount the malicious DMG file; purely network-based exploitation without user interaction is not possible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://docs.info.apple.com/article.html?artnum=305102http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.htmlhttp://projects.info-pull.com/moab/MOAB-09-01-2007.htmlhttp://secunia.com/advisories/24198http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txthttp://www.kb.cert.org/vuls/id/240880http://www.osvdb.org/32714http://www.securityfocus.com/archive/1/456578/100/0/threadedhttp://www.securityfocus.com/bid/21980http://www.securitytracker.com/id?1017662http://www.us-cert.gov/cas/techalerts/TA07-047A.htmlhttp://www.vupen.com/english/advisories/2007/0140https://exchange.xforce.ibmcloud.com/vulnerabilities/31410http://docs.info.apple.com/article.html?artnum=305102http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.htmlhttp://projects.info-pull.com/moab/MOAB-09-01-2007.htmlhttp://secunia.com/advisories/24198http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txthttp://www.kb.cert.org/vuls/id/240880http://www.osvdb.org/32714http://www.securityfocus.com/archive/1/456578/100/0/threadedhttp://www.securityfocus.com/bid/21980http://www.securitytracker.com/id?1017662http://www.us-cert.gov/cas/techalerts/TA07-047A.htmlhttp://www.vupen.com/english/advisories/2007/0140https://exchange.xforce.ibmcloud.com/vulnerabilities/31410
2007-01-11
Published