Skip to content

Posts tagged ‘vulnerabilities’


September: Month of Abysssec Undisclosed Bugs (MOAUB)

Security research group Abysssec have announced the start of the Month of Abusssec Undisclosed Bugs (MOAUB) on the 1st of September. Unlike previous similar month-long vulnerability releases which tended to be themed, such as MOAB (Apple bugs) and MOPB (PHP bugs), Abysssec will be releasing advisories for a number of vendors including Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, and several others. Some advisories will include proof-of-concepts and exploits.

The MOAUB will be hosted at the Exploit-DB, and it’ll be interesting to see  how good the bugs will be.

Drop back here for my analysis of the more interesting vulns (including any Apple bugs).


QuickTime Player SMIL Buffer Overflow and Metasploit Exploit

On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.

The original advisory states:

The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.

Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.

A couple of days ago, Joshua Drake (aka. jduck) submitted a working exploit module to the Metasploit Framework.

As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.

In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.

[Update] Check out the video below for a demo of the Metasploit module in action:

Metasploit_Apple_Quicktime_Smil_Debug from 4xteam on Vimeo.


iPhone 4.0.2/iPad 3.2.2 Update Patches JailbreakMe Vulnerabilities

Apple has today released iOS 4.0.2 (and iOS 3.2.2 for iPad) which patches the two vulnerabilities used by JailbreakMe. The first, as I mentioned in my original post on the topic, was in FreeType, a font engine library. Apple describes the issue as:

A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

The second vuln was in IOSurface, and allowed the exploit to escalate privileges to root, thus breaking out of Mobile Safari’s sandbox. IOSurface is a framework that contains low-level interfaces for sharing graphics surfaces between applications. The vulnerability is described as:

An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.

Apple’s original description of this update can be found here. Note that neither of these vulnerabilities were attributed to anyone (possibly because they weren’t actually disclosed through the proper channels).

These remotely-exploitable vulnerabilities are quite severe, and I definitely recommend all iPhone (and iPad) users to apply this update (including those of you who like to jailbreak).

Let’s see what the next Jailbreak will bring.

[Update 12/8/10] The source code for both of the exploits used by JailbreakMe is now available here.


Apple Preparing Patch for iPhone PDF Exploit

In a rather rapid turnaround time, indicative of the level of risk posed by the JailbreakMe PDF vulnerability, Apple on Wednesday announced that they have prepared a patch to be released in the next round of iPhone updates – hopefully to be released sooner rather than later.

The security update will likely patch at least two vulnerabilities used by, as well as other flaws that may have been recently disclosed to Apple. This will break the jailbreaking process (and carrier unlocks) for anyone updating to the latest version, depending on whether the guys have any other remote privilege escalation exploits up their sleeves.

[Update 11/8/10] iOS 4.0.2/3.2.2 released.


JailbreakMe and the PDF Exploit

[Update] JailbreakMe 3.0 for iOS 4.3.3 is out! by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.

The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.

Depending on the device used to visit, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.

Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.

Here’s a video of someone jailbreaking Apple Stores for fun.

[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.

[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.

[Update 12/8/10] comex has released the source code for the jailbreak exploit.


Safari AutoFill Information Disclosure (with PoC)

Thanks to Safari’s nifty AutoFill feature, it has long been susceptible to an information disclosure vulnerability which could allow an malicious web page to extract various details stored in your personal vCard in Address Book.

This was highlighted a while back, and today re-emphasized by Jeremiah Grossman with a proof-of-concept attack.

The issue exists due to the way that Safari tries (by default) to auto-populate some of your details, including name, address, telephone number, etc, when you fill out forms. This can only happen if you have ‘AutoFill web forms’ enabled in Safari’s preferences, as shown in the screenshot below:

Uncheck these boxes to prevent this attack… but note that you’ll have to type your own info in afterwards! It’s not a high-risk vulnerability, but if you’re concerned about your privacy whilst browsing and in general, do what I do and don’t actually set an empty card as your personal card in Address Book. You can do this by creating a new card (enter some dummy info if you want), selecting it, and then choosing “Make this my card” from the Card menu.

Apple’s been notified of the issue, however as this is a ‘feature’ and not a bug, it’ll be interesting to see whether they’ll actually choose to do anything about it.