MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities

Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.

Further information:

• Multiple Apple Software Format String Vulnerabilities
• Application Kit Functions Reference

MOAB-26-01-2007: Apple Installer Package Filename Format String Vulnerability

Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Further information:

• Apple Installer Package Filename Format String Vulnerability
• Petition Online: Assure OSX authentication dialog box authenticity
• Petition Online: Remove all admin->root authorization prompts from OSX

See: Sarcasm.

Also, many thanks to an anonymous supporter for donating to the project. We would like to note also that we don't endorse any actions taken against anyone who openly criticizes or disagrees with the project.

MOAB-24-01-2007: Apple Software Update Catalog Filename Format String Vulnerability

Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

Further information:

• Apple Software Update Catalog Filename Format String Vulnerability
  

MOAB-20-01-2007: Apple iChat aim:// URL Handler Format String Vulnerability

Apple iChat AIM URI scheme handling is affected by a classic format string vulnerability, allowing remote users to cause a denial of service condition or arbitrary code execution.

Further information:

• Apple iChat aim:// URL Handler Format String Vulnerability
• Proof of concept: MOAB-20-01-2007.html

MOAB-16-01-2007: Multiple Colloquy IRC Format String Vulnerabilities

Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution.

Further information:

• Multiple Colloquy IRC Format String Vulnerabilities
• Exploit: MOAB-16-01-2007.rb

MOAB-07-01-2007: OmniWeb Javascript alert() Format String Vulnerability

OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution.

• MOAB-07-01-2007
• Proof of concept: MOAB-07-01-2007.html

Some hate e-mail examples available from the Rixstep fellows at The ORLANDO Files.

Update: After contacting Omni Group they have provided a new OmniWeb version, 5.5.2, which fixes this issue. Prompt response and fix times. Way to go! (missed to credit KF, though)

MOAB-04-01-2007: iLife iPhoto Photocast XML title Format String Vulnerability

A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution.

For further information:

• MOAB-04-01-2007
• And proof of concept: MOAB-04-01-2007.rb

MOAB-02-01-2007: VLC Media Player udp:// Format String Vulnerability

A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.

• More details, debugging and exploitation information
• Exploit(s): PowerPC (VLCMediaSlayer-ppc.pl) and x86 (VLCMediaSlayer-x86.pl).

Enjoy.