Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

n.runs-SA-2009.001 - OS X CFNetwork advisory
From: <security () nruns com>
Date: Fri, 15 May 2009 10:47:14 +0200

n.runs AG
http://www.nruns.com/                             security(at)nruns.com
n.runs-SA-2009.001                                          15-May-2009
________________________________________________________________________

Vendor:                         Apple Inc., http://www.apple.com
Affected Products:      Mac OS X 10.5.6
Vulnerability:          Heap-based buffer overflow in CFNetwork component
(remote)
Risk:                   HIGH
________________________________________________________________________

Vendor communication:

2009/04/17 Initial notification of Apple including n.runs RFP
2009/04/27 Received response from Apple about planned disclosure date
2009/04/29 Received update from Apple about adjusted disclosure date
2009/05/12 Apple issues updates
________________________________________________________________________

Overview:

CFNetwork is a framework in the Core Services framework that provides a
library of abstractions for network protocols. It can be used to perform
a variety of network tasks using different protocols such as SSL/TLS,
DNS, FTP and HTTP.
Besides many other applications the CFNetwork framework is used by
Safari and Mail.

Description:

A remotely exploitable vulnerability has been found in the HTTP header
parsing code. Each HTTP header received from a web server is first
capitalized. I.e. the first character of the header name is upper-cased
while all remaining characters are lower-cased. Inside the CFNetwork
framework the _CFCapitalizeHeader() function is used for this purpose.

The first thing this function does is to convert the header name into
UTF-16 encoded form. Depending on the length of the header name the
result is either stored in a local stack buffer or in a buffer
allocated on the heap. For all header names > 511 bytes a heap buffer
is allocated as follows:

__text:00003A35 loc_3A35:
__text:00003A35                 mov     esi, [ebp+var_810]
__text:00003A3B                 add     esi, esi
__text:00003A3D                 mov     [esp+838h+var_838], esi
__text:00003A40                 call    _malloc

At address 0x00003A35 the length of the header name is stored in %esi
and then doubled to hold the UTF-16 encoded variant. After the buffer
was allocated some variables are setup. At 0x00003A4D the destination
pointer for the following memory copy operation is stored.

__text:00003A45                 add     esi, eax
__text:00003A47                 mov     [ebp+var_81C], eax
__text:00003A4D                 mov     [ebp+var_814], esi
__text:00003A53                 mov     [ebp+var_818], eax

Note that in contrary to the stack buffer, where a pointer to the
_start_ of the buffer is stored in [ebp+var_814], this code stores
a pointer to the _end_ of the allocated buffer. The following
memory copy loop starting at 0x00003AD1 then stores the UTF-16
encoded header name not inside the buffer, but directly after it
which leads to an exploitable heap-based buffer overflow.

Impact:

One attack vector is the Safari browser. An attacker can exploit
this vulnerability by providing his own web server. When a user
visits the provided site, the vulnerability allows remote code
execution.

Solution:

Apple has issued an update to correct this vulnerability. More details
can be found at: http://support.apple.com/kb/HT1222
________________________________________________________________________

Credit:
Bug found by Moritz Jodeit of n.runs AG.
________________________________________________________________________

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0157

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security () nruns com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.


Copyright 2009 n.runs AG. All rights reserved. Terms of use apply.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • n.runs-SA-2009.001 - OS X CFNetwork advisory security (May 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]