n.runs AG
http://www.nruns.com/                              security(at)nruns.com
n.runs-SA-2008.005                                           01-Aug-2008
________________________________________________________________________

Vendor:                Apple Inc., http://www.apple.com
Affected Products:     CoreServices Framework’s CarbonCore Framework
                        (Used by: i.e. Safari, Mail)
Affected Platforms:
                        Mac OS X v10.4.11
                        Mac OS X Server v10.4.11
                        Mac OS X v10.5.4
                        Mac OS X Server v10.5.4
Vulnerability:         Arbitrary Code Execution (remote)
Risk:                  CRITICAL
________________________________________________________________________

Vendor communication:

   2008/03/07    Initial notification to Apple Inc. n.runs AG has found 
a
                 considerable amount of vulnerabilities in Apple most
                 up-to-date Default Systems and Default Installed
                 Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4,
                 and intends to send them in several phases to Apple Inc.
   2008/03/08    Apple Inc. replies to n.runs AG providing their public
                 pgp key. Apple Inc. states that the Apple Inc. RFP will
                 be used instead of the n.runs RFP
   2008/03/08    n.runs AG responds that vulnerability reporting will
                 only happen under n.runs AG RFP
   2008/03/11    Apple Inc. confirms to n.runs AG that the n.runs AG RFP
                 is aligned to their RFP, and that n.runs may continue
                 with further communication and bug reporting
   2008/03/11    n.runs AG sends PoCs for various issues to Apple Inc.
   2008/03/11    Apple Inc. acknowledges the PoCs, but has issues
                 reproducing some of the vulnerabilities.
   2008/03/12    n.runs AG sends more reliable PoCs along with detailed
                 reproduction steps.
   2008/03/24    Apple Inc. sends a status report regarding the
                 vulnerabilities reported by n.runs AG
   2008/03/30    n.runs AG thanks Apple Inc. for the status update and
                 apologises for not being more responsive during the
                 CanSecWest time-frame.
   2008/03/31    Apple Inc. sends a second status update and provides a
                 link to where the credits will appear
                 (http://support.apple.com/kb/HT1222)
   2008/04/01    n.runs AG acknowledges the update and sends a second set
                 of vulnerabilities and PoC based on the good and
                 frequent communications that n.runs AG has had with
                 Apple Inc. so far.
   2008/04/01    Apple Inc. thanks n.runs AG for the new PoC,
                 acknowledges them and includes a status report. Some of
                 the issues are reported to be already known to them
                 and/or discovered internally previously to n.runs AG
                 reporting. Apple Inc. also informs that Sergio’s name
                 and company has been added to their system to track
                 credit information for each of the security issues, and
                 provides the Radar IDs assigned to each of them. Apple
                 mentions further issues when trying to reproduce some of
                 the vulnerabilities.
   2008/04/01    n.runs AG thanks for the quick response and also
                 clarifies that n.runs AG expects, as described in the
                 RFP, to be credited for all the vulnerabilities reported
                 to Apple Inc. - all of which affect the most up-to-date
                 products available to the public - whether they are
                 internally known to Apple Inc or not.
   2008/04/03    Apple Inc. replies: “Yes, that's our policy: all
                 reporters of non publicly known security bugs get
                 credit.”
   2008/05/23    n.runs AG reports another vulnerability and requests a
                 status update for the previously reported
                 vulnerabilities
   2008/05/29    Apple Inc. sends a status report and asks how n.runs
                 would like to be credited, if there is some specific
                 format.
   2008/05/29    n.runs AG sends the requested information to Apple Inc.
   2008/05/31    Apple Inc. sends the status report for the last reported
                 issue, along with its Radar ID.
   2008/07/10    n.runs AG requests a status update for the issues
                 reported to Apple Inc.
   2008/07/11    Apple Inc. sends the status report. Apple informs n.runs
                 AG that some of the vulnerabilities had already been
                 fixed, for which an update had been released some time
                 ago. Apple Inc. also mentions that one of the
                 vulnerabilities was found through internal security
                 testing; consequently no credit was given, but that
                 would be fixed. Apple Inc. requests the format for the
                 credits that n.runs AG would like to have.
   2008/07/13    n.runs AG replies with the following statement: “As I
                 [Sergio Alvarez] said and you agreed in my first
                 e-mails, before sending any of my findings, whether you
                 found them internally or somebody else reported the same
                 bugs that I'm reporting, you (Apple) have to credit me
                 for my findings for the simple reason that I'm reporting
                 them to you instead of releasing them to the public
                 while the bugs are not fixed. That said, I've checked
                 all the credits given in "iPhone 2.0 and iPod touch 2.0"
                 (http://support.apple.com/kb/HT2351) and the ones given
                 in "QuickTime 7.5" (http://support.apple.com/kb/HT1991),
                 and I haven't been credited in any of them. This is a
                 clear violation of our RFP. If by Monday, July 14th 2008
                 the proper credits are not given to me, I'll release all
                 the vulnerabilities and bugs that I've reported to you
                 and also the ones I didn't report yet by Tuesday, July
                 15th 2008.”
   2008/07/15    Apple Inc. asks n.runs AG not to make their findings
                 public and also publishes the credits for one of the
                 issues reported. Apple also provides a status report for
                 the previous findings.
   2008/07/15    n.runs AG provides further use-cases and attack vectors
                 information to Apple Inc.
   2008/07/23    Apple Inc. creates a new security ID for the use-cases
                 and attack vectors reported as a design issue to fix.
   2008/07/23    n.runs thanks Apple Inc. for the feedback and asks for a
                 status report update
   2008/08/01    Apple Inc. notifies n.runs AG of the imminent release of
                 an update and sends the related advisory and credits.
                 (The update and credits were already available at the
                 time n.runs AG read the email sent by Apple Inc.)
   2008/08/01    n.runs AG releases this advisory

________________________________________________________________________

Overview:

Carbon is a set of C APIs offering developers an advanced user interface 
toolkit, event handling, access to the Quartz 2D graphics library, and 
multiprocessing support. Developers have access to other C and C++ APIs, 
including the OpenGL drawing system and the Mach microkernel.

CarbonCore gathers together a number of lower-level Mac OS Toolbox 
managers. Some of these are deprecated but essential to porting to Carbon.

CarbonCore includes the old Device Manager, Date and Time Utilities, the 
Finder interface, Mixed Mode, CFM, the Thread Manager, the Collection 
Manager, the Script Manager, and more. Most of the Toolbox defines are 
in here.

Description:

A remotely exploitable vulnerability has been found in the file name 
parsing code.

More specifically, passing a long file name to the CarbonCore framework 
file management API will trigger a stack buffer overflow.


Impact:

This problem can lead to remote arbitrary code execution if an attacker 
carefully crafts a file that exploits the aforementioned vulnerability. 
n.runs AG illustrated the exploitation using Safari and Mail - both 
present on a standard OS X installation - to demonstrate the risks. The 
attack surface is however not limited to these two applications: any 
software component that makes use of the CarbonCore framework may allow 
arbitrary code execution. The vulnerability is present in Apple 
CarbonCore Framework prior to the update released on Aug 1st, 2008.

Solution:

The vulnerability was reported on Apr 1st, 2008 and Apple Security 
Update has been issued to solve this vulnerability on Aug 1st, 2008. For 
detailed information about the fixes, follow the link in the references 
section [1] of this document.

________________________________________________________________________

Credits:
Bug found by Sergio ‘shadown’ Alvarez of n.runs AG.
________________________________________________________________________

References:
[1] http://support.apple.com/kb/HT2647

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php

Subscribe to the n.runs newsletter by signing up to:
http://www.nruns.com/newsletter_en.php

________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all 
other reproduction or publication, in printing or otherwise, contact 
security@nruns.com for permission. Use of the advisory constitutes 
acceptance for use in an "as is" condition. All warranties are excluded. 
In no event shall n.runs be liable for any damages whatsoever including 
direct, indirect, incidental, consequential, loss of business profits or 
special damages, even if n.runs has been advised of the possibility of 
such damages.

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.