Apple iChat Improper TXT Key Hash Handling DoS

2007-01-29T12:00:00
ID OSVDB:32713
Type osvdb
Reporter Lance M. Havok(lmh@info-pull.com)
Modified 2007-01-29T12:00:00

Description

Vulnerability Description

Apple iChat improperly parses TXT key hashes which may allow a remote denial of service. The issue is triggered when the Apple iChat Agent receives a specially crafted TXT key hash via Bonjour triggering a NULL pointer dereference and resulting in a loss of availability for the iChat service.

Technical Description

  • Since the exploitation vector is Bonjour, which is a broadcasting service, one can use the exploit to affect a large number of users which can be reached via service advertisements, however, the remote attacker has to be on the same multicast network as the user.
  • A specially crafted TXT key hash sent via the Bonjour service will cause the iChat Agent to raise an exception (SIGTRAP signal 0x9262050b in _NSRaiseError()) due to a NULL pointer dereference.
  • The PoC author noted that this should be considered an issue in Bonjour's mDNSResponder daemon as well since iChat isn't involved in the processing of any mDNS service advertisements. mDNSResponder stops responding shortly after abuse and trying to launch iChat Bonjour functionality again will fail since mDNSResponder keeps the crafted record.

Solution Description

Download and install Security Update 2007-002 (PPC) via Software Update preferences, or from Apple Downloads, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): - Do not use iChat with the Bonjour service. or - Disable mDNSResponder using the following (by author): sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist sudo mv /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist \ /Users/Shared/com.apple.mDNSResponder.plist.BACKUP

Short Description

Apple iChat improperly parses TXT key hashes which may allow a remote denial of service. The issue is triggered when the Apple iChat Agent receives a specially crafted TXT key hash via Bonjour triggering a NULL pointer dereference and resulting in a loss of availability for the iChat service.

References:

Vendor Specific Solution URL: http://www.apple.com/support/downloads/securityupdate2007002ppc.html Vendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=305102 Security Tracker: 1017661 Secunia Advisory ID:24198 Related OSVDB ID: 32715 Related OSVDB ID: 32714 Other Advisory URL: http://projects.info-pull.com/moab/MOAB-29-01-2007.html Mail List Post: http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.html Generic Informational URL: http://developer.apple.com/documentation/Cocoa/Conceptual/NetServices/Articles/about.html Generic Informational URL: http://projects.info-pull.com/moab/MOAB-09-01-2007.html Generic Informational URL: http://projects.info-pull.com/moab/MOAB-20-01-2007.html Generic Informational URL: http://www.apple.com/ichat/ Generic Exploit URL: http://projects.info-pull.com/moab/bug-files/MOAB-29-01-2007.rb CVE-2007-0710 CVE-2007-0614 CERT VU: 836024 Bugtraq ID: 22304