MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities

Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.

Further information:

• Multiple Apple Software Format String Vulnerabilities
• Application Kit Functions Reference

MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities

Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.

Further information:

• Apple iChat Bonjour Multiple Denial of Service Vulnerabilities
• Exploit: MOAB-29-01-2007.rb

MOAB-28-01-2007: Apple crashdump Privilege Escalation Vulnerability

crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.

• Apple crashdump Privilege Escalation Vulnerability
• Exploit: MOAB-28-01-2007.rb and vuln
  

MOAB-27-01-2007: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.

Further information:

• Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability
• Proof of concept: MOAB-27-01-2007.wmv

This can be abused remotely even via Mail.app (sending the movie attached in the message), Safari, etc.

MOAB-26-01-2007: Apple Installer Package Filename Format String Vulnerability

Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Further information:

• Apple Installer Package Filename Format String Vulnerability
• Petition Online: Assure OSX authentication dialog box authenticity
• Petition Online: Remove all admin->root authorization prompts from OSX

See: Sarcasm.

Also, many thanks to an anonymous supporter for donating to the project. We would like to note also that we don't endorse any actions taken against anyone who openly criticizes or disagrees with the project.

MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service

CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition.

Further information:

• Apple CFNetwork HTTP Response Denial of Service
• Proof of concept: MOAB-25-01-2007.rb and MOAB-25-01-2007.c

Many thanks to Craig Loomis, Greg Slepak and a previous supporter for donating to the project. The mark is at $472.93 USD now, so we are very close to the goal. Again, many thanks to everyone who has contributed, with both donations and feedback.

MOAB-24-01-2007: Apple Software Update Catalog Filename Format String Vulnerability

Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Further information:

• Apple Software Update Catalog Filename Format String Vulnerability