Mac OS X Finder DMG Disk Image Volume Name Memory Corruption

2007-01-09T00:00:00
ID OSVDB:32714
Type osvdb
Reporter Kevin Finisterre(kf_lists@digitalmunition.com)
Modified 2007-01-09T00:00:00

Description

Vulnerability Description

A remote buffer overflow exists in Mac OS X's Finder. Finder fails to properly handle DMG images with volume names of more than 255 bytes, leading to memory corruption. Using a specially crafted DMG disk image, a remote attacker can exploit this vulnerability in order to crash the vulnerable application or possibly execute arbitrary commands with the privileges of the user by serving the malicious file via a web server or convincing the victim to download and mount it.

Technical Description

Hex dump of an example DMG image volume label that can be used to trigger the issue (by Kevin Finisterre):

0009c00: 4c41 424c be42 0000 0000 0001 4594 86e1 LABL.B......E... 0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA 0009c20: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c30: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c40: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c50: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c60: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c70: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c80: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c90: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009d00: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009d10: 4100 0000 0000 0000 0000 0000 0000 0000 A...............

Solution Description

Download and install Security Update 2007-002, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Do not mount disk images or simply disable Finder and use Spotlight instead. One can disable Finder using the following steps: 1) Open Terminal, found in /Applications -> Utilities 2) Once inside Terminal, type: 'sudo mv /System/Library/CoreServices/Finder.app /Applications/' 3) While still in Terminal type: killall Finder

In the case that Finder has already been put into a Denial of Service condition one can unmount it using the following command while in Terminal: hdiutil unmount /Volumes/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/

Short Description

A remote buffer overflow exists in Mac OS X's Finder. Finder fails to properly handle DMG images with volume names of more than 255 bytes, leading to memory corruption. Using a specially crafted DMG disk image, a remote attacker can exploit this vulnerability in order to crash the vulnerable application or possibly execute arbitrary commands with the privileges of the user by serving the malicious file via a web server or convincing the victim to download and mount it.

References:

Vendor Specific Solution URL: http://www.apple.com/support/downloads/securityupdate2007002ppc.html Vendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=305102 US-CERT Cyber Security Alert: TA07-047A Security Tracker: 1017662 Secunia Advisory ID:24198 Related OSVDB ID: 32715 Related OSVDB ID: 32713 Other Advisory URL: http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txt Other Advisory URL: http://projects.info-pull.com/moab/MOAB-09-01-2007.html Mail List Post: http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.html ISS X-Force ID: 31410 Generic Exploit URL: http://projects.info-pull.com/moab/bug-files/MOAB-09-01-2007.dmg FrSIRT Advisory: ADV-2007-0140 CVE-2007-0197 CERT VU: 240880 Bugtraq ID: 21980