n.runs-SA-2008.005 - Apple Inc. - CoreServices Framework’s CarbonCore Framework - Arbitrary Code Execution (remote)

["security () nruns com" <security () nruns com>]

n.runs AG
http://www.nruns.com/                              security(at)nruns.com
n.runs-SA-2008.005                                           01-Aug-2008
________________________________________________________________________

Vendor:                Apple Inc., http://www.apple.com
Affected Products:     CoreServices Framework’s CarbonCore Framework
                       (Used by: i.e. Safari, Mail)
Affected Platforms:
                       Mac OS X v10.4.11
                       Mac OS X Server v10.4.11
                       Mac OS X v10.5.4
                       Mac OS X Server v10.5.4
Vulnerability:         Arbitrary Code Execution (remote)
Risk:                  CRITICAL
________________________________________________________________________

Vendor communication:

  2008/03/07    Initial notification to Apple Inc. n.runs AG has found 
a
                considerable amount of vulnerabilities in Apple most
                up-to-date Default Systems and Default Installed
                Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4,
                and intends to send them in several phases to Apple Inc.
  2008/03/08    Apple Inc. replies to n.runs AG providing their public
                pgp key. Apple Inc. states that the Apple Inc. RFP will
                be used instead of the n.runs RFP
  2008/03/08    n.runs AG responds that vulnerability reporting will
                only happen under n.runs AG RFP
  2008/03/11    Apple Inc. confirms to n.runs AG that the n.runs AG RFP
                is aligned to their RFP, and that n.runs may continue
                with further communication and bug reporting
  2008/03/11    n.runs AG sends PoCs for various issues to Apple Inc.
  2008/03/11    Apple Inc. acknowledges the PoCs, but has issues
                reproducing some of the vulnerabilities.
  2008/03/12    n.runs AG sends more reliable PoCs along with detailed
                reproduction steps.
  2008/03/24    Apple Inc. sends a status report regarding the
                vulnerabilities reported by n.runs AG
  2008/03/30    n.runs AG thanks Apple Inc. for the status update and
                apologises for not being more responsive during the
                CanSecWest time-frame.
  2008/03/31    Apple Inc. sends a second status update and provides a
                link to where the credits will appear
                (http://support.apple.com/kb/HT1222)
  2008/04/01    n.runs AG acknowledges the update and sends a second set
                of vulnerabilities and PoC based on the good and
                frequent communications that n.runs AG has had with
                Apple Inc. so far.
  2008/04/01    Apple Inc. thanks n.runs AG for the new PoC,
                acknowledges them and includes a status report. Some of
                the issues are reported to be already known to them
                and/or discovered internally previously to n.runs AG
                reporting. Apple Inc. also informs that Sergio’s name
                and company has been added to their system to track
                credit information for each of the security issues, and
                provides the Radar IDs assigned to each of them. Apple
                mentions further issues when trying to reproduce some of
                the vulnerabilities.
  2008/04/01    n.runs AG thanks for the quick response and also
                clarifies that n.runs AG expects, as described in the
                RFP, to be credited for all the vulnerabilities reported
                to Apple Inc. - all of which affect the most up-to-date
                products available to the public - whether they are
                internally known to Apple Inc or not.
  2008/04/03    Apple Inc. replies: “Yes, that's our policy: all
                reporters of non publicly known security bugs get
                credit.”
  2008/05/23    n.runs AG reports another vulnerability and requests a
                status update for the previously reported
                vulnerabilities
  2008/05/29    Apple Inc. sends a status report and asks how n.runs
                would like to be credited, if there is some specific
                format.
  2008/05/29    n.runs AG sends the requested information to Apple Inc.
  2008/05/31    Apple Inc. sends the status report for the last reported
                issue, along with its Radar ID.
  2008/07/10    n.runs AG requests a status update for the issues
                reported to Apple Inc.
  2008/07/11    Apple Inc. sends the status report. Apple informs n.runs
                AG that some of the vulnerabilities had already been
                fixed, for which an update had been released some time
                ago. Apple Inc. also mentions that one of the
                vulnerabilities was found through internal security
                testing; consequently no credit was given, but that
                would be fixed. Apple Inc. requests the format for the
                credits that n.runs AG would like to have.
  2008/07/13    n.runs AG replies with the following statement: “As I
                [Sergio Alvarez] said and you agreed in my first
                e-mails, before sending any of my findings, whether you
                found them internally or somebody else reported the same
                bugs that I'm reporting, you (Apple) have to credit me
                for my findings for the simple reason that I'm reporting
                them to you instead of releasing them to the public
                while the bugs are not fixed. That said, I've checked
                all the credits given in "iPhone 2.0 and iPod touch 2.0"
                (http://support.apple.com/kb/HT2351) and the ones given
                in "QuickTime 7.5" (http://support.apple.com/kb/HT1991),
                and I haven't been credited in any of them. This is a
                clear violation of our RFP. If by Monday, July 14th 2008
                the proper credits are not given to me, I'll release all
                the vulnerabilities and bugs that I've reported to you
                and also the ones I didn't report yet by Tuesday, July
                15th 2008.”
  2008/07/15    Apple Inc. asks n.runs AG not to make their findings
                public and also publishes the credits for one of the
                issues reported. Apple also provides a status report for
                the previous findings.
  2008/07/15    n.runs AG provides further use-cases and attack vectors
                information to Apple Inc.
  2008/07/23    Apple Inc. creates a new security ID for the use-cases
                and attack vectors reported as a design issue to fix.
  2008/07/23    n.runs thanks Apple Inc. for the feedback and asks for a
                status report update
  2008/08/01    Apple Inc. notifies n.runs AG of the imminent release of
                an update and sends the related advisory and credits.
                (The update and credits were already available at the
                time n.runs AG read the email sent by Apple Inc.)
  2008/08/01    n.runs AG releases this advisory

________________________________________________________________________

Overview:

Carbon is a set of C APIs offering developers an advanced user interface 
toolkit, event handling, access to the Quartz 2D graphics library, and 
multiprocessing support. Developers have access to other C and C++ APIs, 
including the OpenGL drawing system and the Mach microkernel.

CarbonCore gathers together a number of lower-level Mac OS Toolbox 
managers. Some of these are deprecated but essential to porting to Carbon.

CarbonCore includes the old Device Manager, Date and Time Utilities, the 
Finder interface, Mixed Mode, CFM, the Thread Manager, the Collection 
Manager, the Script Manager, and more. Most of the Toolbox defines are 
in here.

Description:

A remotely exploitable vulnerability has been found in the file name 
parsing code.

More specifically, passing a long file name to the CarbonCore framework 
file management API will trigger a stack buffer overflow.


Impact:

This problem can lead to remote arbitrary code execution if an attacker 
carefully crafts a file that exploits the aforementioned vulnerability. 
n.runs AG illustrated the exploitation using Safari and Mail - both 
present on a standard OS X installation - to demonstrate the risks. The 
attack surface is however not limited to these two applications: any 
software component that makes use of the CarbonCore framework may allow 
arbitrary code execution. The vulnerability is present in Apple 
CarbonCore Framework prior to the update released on Aug 1st, 2008.

Solution:

The vulnerability was reported on Apr 1st, 2008 and Apple Security 
Update has been issued to solve this vulnerability on Aug 1st, 2008. For 
detailed information about the fixes, follow the link in the references 
section [1] of this document.

________________________________________________________________________

Credits:
Bug found by Sergio ‘shadown’ Alvarez of n.runs AG.
________________________________________________________________________

References:
[1] http://support.apple.com/kb/HT2647

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php

Subscribe to the n.runs newsletter by signing up to:
http://www.nruns.com/newsletter_en.php

________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all 
other reproduction or publication, in printing or otherwise, contact 
security () nruns com for permission. Use of the advisory constitutes 
acceptance for use in an "as is" condition. All warranties are excluded. 
In no event shall n.runs be liable for any damages whatsoever including 
direct, indirect, incidental, consequential, loss of business profits or 
special damages, even if n.runs has been advised of the possibility of 
such damages.

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.