-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Apple iPhone OS AudioCodecs Heap Buffer Overflow
Advisory ID:            TKADV2009-007
Revision:               1.0              
Release Date:           2009/09/09
Last Modified:          2009/09/09
Date Reported:          2009/04/05
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      iPhone OS 1.0 through 3.0.1
                        iPhone OS for iPod touch 1.1 through 3.0
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://www.apple.com/ 
Vendor Status:          Vendor has released an updated version
CVE-ID:                 CVE-2009-2206
Patch development time: 158 days


======================
Vulnerability Details: 
======================

The iPhone OS AudioCodecs library contains a heap buffer overflow 
vulnerability while parsing maliciously crafted AAC or MP3 files. The 
vulnerability may be exploited by an attacker to execute arbitrary code in 
the context of an application using the vulnerable library.

One attack vector are iPhone ringtones with malformed sample size table 
entries. It was successfully tested that iTunes uploads such malformed 
ringtones to the phone.


==================
Technical Details:
==================

Vulnerable library:
  /System/Library/Frameworks/AudioToolbox.framework/AudioCodecs

Vulnerable function: 
  ACTransformerCodec::AppendInputData()

Disassembly of the vulnerable function:

[..]
__text:3314443C LDR     R3, [R5,#0xA8]
__text:33144440 LDR     R2, [R5,#0xA4]
__text:33144444 ADD     R3, R3, #1
__text:33144448 ADD     R2, fp, R2
__text:3314444C STR     R3, [R5,#0xA8]
__text:33144450 MOV     R3, #0
__text:33144454 STMIA   IP, {R2,R3}                 [1] 
__text:33144458 MOV     R3, #0
__text:3314445C STR     R3, [IP,#8]                 [2]
__text:33144460 LDR     R3, [SP,#0x4C+sample_size]  [3]
__text:33144464 STR     R3, [IP,#0xC]               [4]
__text:33144468 ADD     IP, IP, #0x10               [5]
[..]

[1] The values of R2 and R3 are stored into the heap buffer pointed to by 
    IP (R12). R2 contains user controlled data.
[2] The value of R3 gets copied into the heap buffer.
[3] R3 is filled with user controlled data from the audio file. 
[4] The user controlled data of R3 gets copied into the heap buffer.
[5] The index into the heap buffer (pointed to by IP) gets incremented.

This code snippet gets executed in a loop. As there is no bounds checking
of the heap buffer pointed to by IP (R12) it is possible to cause an out of
bounds write (heap buffer overflow).


========= 
Solution: 
=========

  Upgrade to iPhone OS 3.1 or iPhone OS 3.1.1 for iPod touch.


==================== 
Disclosure Timeline: 
====================

  2009/04/05 - Apple Product Security Team notified
  2009/04/05 - Received an automated response message
  2009/04/07 - Reply from Apple
  2009/06/05 - Status update request sent to Apple
  2009/06/05 - Apple confirms the vulnerability
  2009/08/17 - Status update by Apple
  2009/09/05 - Status update by Apple
  2009/09/09 - New iPhone OS released by Apple
  2009/09/09 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

 [REF1] http://support.apple.com/kb/HT3860
 [REF2] http://www.trapkit.de/advisories/TKADV2009-007.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2009 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP
Charset: utf-8

wj8DBQFKqB4rkXxgcAIbhEERAik4AKD5gWG/GvB9bLQojJpaLhTVlfpj4gCfSJ9i
nVSlzUd5NozllFGeI5rCboc=
=B2cm
-----END PGP SIGNATURE-----