We thank everyone who has contributed, as well as those who donated to the project and sent nice feedback. We also thank the zealots, who made our day every time they blogged and commented about us. We would like to thank Apple for making this month a smooth one.
Last but not least, we will stop disclosing (although KF might continue releasing issues) any further information related to OS X security. Full disclosure isn't good. Feeding the security industry neither.
OS X remains insecure. But now there will be less 'publicity hogging' about it. Finally, you can always keep an eye on our well respected friends at Matasano, who might keep the a-bug-per-decade campaign.
Have fun.
Wednesday, January 31, 2007
MOAB-31-01-2007: Stay tuned (and farewell)
Tuesday, January 30, 2007
MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities
Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.
Further information:
Monday, January 29, 2007
MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities
Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.
Further information:
In other news, "Craig Seeman cseeman (at) optonline.net" (author of Flip4Mac reviews) contacted us:
Hi,
regarding http://projects.info-pull.com/moab/MOAB-27-01-2007.html
This is what they're testing have found at this point: Flip4Mac has received reports of a QuickTime crash when playing a deliberately modified/damaged Windows Media file. There is no evidence that this has been or could be exploited to produce a security vulnerability. We have reproduced the crash and will include a fix for this in our next release.
Hmm, even Mr. Keller has kept out of his business (prolly learnt that integer overflows are useful to pop shells around, long after the initial DMG-related lessons). So anyway, better saved EIP overwrite for you:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xff806aa5
0xffff0ac7 in ___memcpy () at .../PrivateHeaders/i386/cpu_capabilities.h:228
228 in /.../PrivateHeaders/i386/cpu_capabilities.h
(gdb) i f
Stack level 0, frame at 0xbfffdc78:
eip = 0xffff0ac7 in ___memcpy (/.../PrivateHeaders/i386/cpu_capabilities.h:228); saved eip 0xdddeface
called by frame at 0xbfffdc80
source language unknown.
Arglist at 0xbfffdc70, args:
Locals at 0xbfffdc70, Previous frame's sp is 0xbfffdc74
Saved registers:
eip at 0xbfffdc70
(gdb) bt
#0 0xffff0ac7 in ___memcpy () at /.../PrivateHeaders/i386/cpu_capabilities.h:228
#1 0xdddeface in ?? ()
Sure we can fake the output. But we seriously have better stuff to do around. Like releasing a working exploit while you keep eating peanuts. Enjoy.
Sunday, January 28, 2007
MOAB-28-01-2007: Apple crashdump Privilege Escalation Vulnerability
crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.Saturday, January 27, 2007
MOAB-27-01-2007: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability
Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
Further information:
This can be abused remotely even via Mail.app (sending the movie attached in the message), Safari, etc.
Friday, January 26, 2007
MOAB-26-01-2007: Apple Installer Package Filename Format String Vulnerability
Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.
Further information:
- Apple Installer Package Filename Format String Vulnerability
- Petition Online: Assure OSX authentication dialog box authenticity
- Petition Online: Remove all admin->root authorization prompts from OSX
Also, many thanks to an anonymous supporter for donating to the project. We are at $568.73 USD now. We would like to note also that we don't endorse any actions taken against anyone who openly criticizes or disagrees with the project. Let's keep out of personal attacks, they don't bring anything interesting to the playground, and after all, there are plenty of ways to poke fun out of someone without resorting to dirty tricks. For instance, give a exploit a good use.
Thursday, January 25, 2007
MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service
CFNetwork fails to handle certain HTTP responses properly, causing the_CFNetConnectionWillEnqueueRequests()function to dereference a NULL pointer, leading to a denial of service condition.
Further information:
- Apple CFNetwork HTTP Response Denial of Service
- Proof of concept: MOAB-25-01-2007.rb and MOAB-25-01-2007.c
Subscribe to:
Posts (Atom)
