cbcvebase.
CVE-2007-0197
published 2007-01-11

CVE-2007-0197: Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume…

PriorityP432medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
8.07%
94.1th percentile
Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x

Detection & IOCsextracted from sources · hover to see the quote

path/usr/bin/hdiutil
filenameMOAB-09-01-2007.dmg
  • A DMG disk image with a volume name of 255 randomly generated characters (maximum length) is used to trigger memory corruption in Finder 10.4.6 on Mac OS X 10.4.8.
  • The volume name length field within the DMG file is located at offset 0x9c10 and can be inspected to detect abnormally long volume names indicative of exploitation attempts.
  • Exploit crafts a UFS-formatted DMG image; monitor for hdiutil invocations creating DMG files with excessively long -volname arguments (approaching or at 255 characters).
  • Memory corruption in Finder triggered by opening a DMG with a long volume name; monitor Finder process for crashes or unexpected code execution when mounting DMG files from remote/untrusted sources.
  • ·This is a PoC (Proof of Concept) exploit; the DMG volume name is randomly generated each run (255 random alphanumeric characters), so there is no fixed payload string to match on — detection must focus on volume name length rather than content.
  • ·Vulnerability is specific to Finder 10.4.6 on Apple Mac OS X 10.4.8; other versions are not confirmed affected by this CVE.
  • ·Attack is user-assisted, meaning the victim must open/mount the malicious DMG file; purely network-based exploitation without user interaction is not possible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.