|
Brought to you by:
Suppliers of:
|
|
|
| |
CFNetwork is a framework in the Core Services framework that provides a library of abstractions for network protocols. It can be used to perform a variety of network tasks using different protocols such as SSL/TLS, DNS, FTP and HTTP. Besides many other applications the CFNetwork framework is used by Safari and Mail.
A remotely exploitable vulnerability has been found in the HTTP header parsing code. One attack vector is the Safari browser. An attacker can exploit this vulnerability by providing his own web server. When a user visits the provided site, the vulnerability allows remote code execution. |
| |
Credit:
The information has been provided by Moritz Jodeit.
The original article can be found at: http://www.nruns.com/security_advisory.php
|
| |
Vulnerable Systems:
* Apple Mac OS X version 10.5.6
Each HTTP header received from a web server is first capitalized. I.e. the first character of the header name is upper-cased while all remaining characters are lower-cased. Inside the CFNetwork framework the _CFCapitalizeHeader() function is used for this purpose.
The first thing this function does is to convert the header name into UTF-16 encoded form. Depending on the length of the header name the result is either stored in a local stack buffer or in a buffer allocated on the heap. For all header names > 511 bytes a heap buffer is allocated as follows:
__text:00003A35 loc_3A35:
__text:00003A35 mov esi, [ebp+var_810]
__text:00003A3B add esi, esi
__text:00003A3D mov [esp+838h+var_838], esi
__text:00003A40 call _malloc
At address 0x00003A35 the length of the header name is stored in %esi and then doubled to hold the UTF-16 encoded variant. After the buffer was allocated some variables are setup. At 0x00003A4D the destination pointer for the following memory copy operation is stored.
__text:00003A45 add esi, eax
__text:00003A47 mov [ebp+var_81C], eax
__text:00003A4D mov [ebp+var_814], esi
__text:00003A53 mov [ebp+var_818], eax
Note that in contrary to the stack buffer, where a pointer to the _start_ of the buffer is stored in [ebp+var_814], this code stores a pointer to the _end_ of the allocated buffer. The following memory copy loop starting at 0x00003AD1 then stores the UTF-16 encoded header name not inside the buffer, but directly after it which leads to an exploitable heap-based buffer overflow.
Patch Availability:
Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222
CVE Information:
CVE-2009-0157
Disclosure Timeline:
2009/04/17 Initial notification of Apple including n.runs RFP
2009/04/27 Received response from Apple about planned disclosure date
2009/04/29 Received update from Apple about adjusted disclosure date
2009/05/12 Apple issues updates
|
|
|
|
|
