n.runs-SA-2008.005 - Apple Inc. - CoreServices Framework’s CarbonCore Framework - Arbitrary Code Execution (remote)
n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2008.005 01-Aug-2008
________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: CoreServices Framework’s CarbonCore Framework
(Used by: i.e. Safari, Mail)
Affected Platforms:
Mac OS X v10.4.11
Mac OS X Server v10.4.11
Mac OS X v10.5.4
Mac OS X Server v10.5.4
Vulnerability: Arbitrary Code Execution (remote)
Risk: CRITICAL
________________________________________________________________________
Vendor communication:
2008/03/07 Initial notification to Apple Inc. n.runs AG has found
a
considerable amount of vulnerabilities in Apple most
up-to-date Default Systems and Default Installed
Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4,
and intends to send them in several phases to Apple Inc.
2008/03/08 Apple Inc. replies to n.runs AG providing their public
pgp key. Apple Inc. states that the Apple Inc. RFP will
be used instead of the n.runs RFP
2008/03/08 n.runs AG responds that vulnerability reporting will
only happen under n.runs AG RFP
2008/03/11 Apple Inc. confirms to n.runs AG that the n.runs AG RFP
is aligned to their RFP, and that n.runs may continue
with further communication and bug reporting
2008/03/11 n.runs AG sends PoCs for various issues to Apple Inc.
2008/03/11 Apple Inc. acknowledges the PoCs, but has issues
reproducing some of the vulnerabilities.
2008/03/12 n.runs AG sends more reliable PoCs along with detailed
reproduction steps.
2008/03/24 Apple Inc. sends a status report regarding the
vulnerabilities reported by n.runs AG
2008/03/30 n.runs AG thanks Apple Inc. for the status update and
apologises for not being more responsive during the
CanSecWest time-frame.
2008/03/31 Apple Inc. sends a second status update and provides a
link to where the credits will appear
(http://support.apple.com/kb/HT1222)
2008/04/01 n.runs AG acknowledges the update and sends a second set
of vulnerabilities and PoC based on the good and
frequent communications that n.runs AG has had with
Apple Inc. so far.
2008/04/01 Apple Inc. thanks n.runs AG for the new PoC,
acknowledges them and includes a status report. Some of
the issues are reported to be already known to them
and/or discovered internally previously to n.runs AG
reporting. Apple Inc. also informs that Sergio’s name
and company has been added to their system to track
credit information for each of the security issues, and
provides the Radar IDs assigned to each of them. Apple
mentions further issues when trying to reproduce some of
the vulnerabilities.
2008/04/01 n.runs AG thanks for the quick response and also
clarifies that n.runs AG expects, as described in the
RFP, to be credited for all the vulnerabilities reported
to Apple Inc. - all of which affect the most up-to-date
products available to the public - whether they are
internally known to Apple Inc or not.
2008/04/03 Apple Inc. replies: “Yes, that's our policy: all
reporters of non publicly known security bugs get
credit.”
2008/05/23 n.runs AG reports another vulnerability and requests a
status update for the previously reported
vulnerabilities
2008/05/29 Apple Inc. sends a status report and asks how n.runs
would like to be credited, if there is some specific
format.
2008/05/29 n.runs AG sends the requested information to Apple Inc.
2008/05/31 Apple Inc. sends the status report for the last reported
issue, along with its Radar ID.
2008/07/10 n.runs AG requests a status update for the issues
reported to Apple Inc.
2008/07/11 Apple Inc. sends the status report. Apple informs n.runs
AG that some of the vulnerabilities had already been
fixed, for which an update had been released some time
ago. Apple Inc. also mentions that one of the
vulnerabilities was found through internal security
testing; consequently no credit was given, but that
would be fixed. Apple Inc. requests the format for the
credits that n.runs AG would like to have.
2008/07/13 n.runs AG replies with the following statement: “As I
[Sergio Alvarez] said and you agreed in my first
e-mails, before sending any of my findings, whether you
found them internally or somebody else reported the same
bugs that I'm reporting, you (Apple) have to credit me
for my findings for the simple reason that I'm reporting
them to you instead of releasing them to the public
while the bugs are not fixed. That said, I've checked
all the credits given in "iPhone 2.0 and iPod touch 2.0"
(http://support.apple.com/kb/HT2351) and the ones given
in "QuickTime 7.5" (http://support.apple.com/kb/HT1991),
and I haven't been credited in any of them. This is a
clear violation of our RFP. If by Monday, July 14th 2008
the proper credits are not given to me, I'll release all
the vulnerabilities and bugs that I've reported to you
and also the ones I didn't report yet by Tuesday, July
15th 2008.”
2008/07/15 Apple Inc. asks n.runs AG not to make their findings
public and also publishes the credits for one of the
issues reported. Apple also provides a status report for
the previous findings.
2008/07/15 n.runs AG provides further use-cases and attack vectors
information to Apple Inc.
2008/07/23 Apple Inc. creates a new security ID for the use-cases
and attack vectors reported as a design issue to fix.
2008/07/23 n.runs thanks Apple Inc. for the feedback and asks for a
status report update
2008/08/01 Apple Inc. notifies n.runs AG of the imminent release of
an update and sends the related advisory and credits.
(The update and credits were already available at the
time n.runs AG read the email sent by Apple Inc.)
2008/08/01 n.runs AG releases this advisory
________________________________________________________________________
Overview:
Carbon is a set of C APIs offering developers an advanced user interface
toolkit, event handling, access to the Quartz 2D graphics library, and
multiprocessing support. Developers have access to other C and C++ APIs,
including the OpenGL drawing system and the Mach microkernel.
CarbonCore gathers together a number of lower-level Mac OS Toolbox
managers. Some of these are deprecated but essential to porting to Carbon.
CarbonCore includes the old Device Manager, Date and Time Utilities, the
Finder interface, Mixed Mode, CFM, the Thread Manager, the Collection
Manager, the Script Manager, and more. Most of the Toolbox defines are
in here.
Description:
A remotely exploitable vulnerability has been found in the file name
parsing code.
More specifically, passing a long file name to the CarbonCore framework
file management API will trigger a stack buffer overflow.
Impact:
This problem can lead to remote arbitrary code execution if an attacker
carefully crafts a file that exploits the aforementioned vulnerability.
n.runs AG illustrated the exploitation using Safari and Mail - both
present on a standard OS X installation - to demonstrate the risks. The
attack surface is however not limited to these two applications: any
software component that makes use of the CarbonCore framework may allow
arbitrary code execution. The vulnerability is present in Apple
CarbonCore Framework prior to the update released on Aug 1st, 2008.
Solution:
The vulnerability was reported on Apr 1st, 2008 and Apple Security
Update has been issued to solve this vulnerability on Aug 1st, 2008. For
detailed information about the fixes, follow the link in the references
section [1] of this document.
________________________________________________________________________
Credits:
Bug found by Sergio ‘shadown’ Alvarez of n.runs AG.
________________________________________________________________________
References:
[1] http://support.apple.com/kb/HT2647
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
Subscribe to the n.runs newsletter by signing up to:
http://www.nruns.com/newsletter_en.php
________________________________________________________________________
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@xxxxxxxxx for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.
Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.