[Unpatched] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch (The Jailbreakme bug in OSX)
Hey guys! It’s been a long time since my last post… I’ve been very busy with some personal projects but i though this advisory deserveded at least a small post about it.
I’ll make it short; Matias Eissler, a teammate at Core triggered the Jailbreakme bug in OSX, so we decided to spend some time researching it.
But, what we found is a completely different bug, when handling exactly the same type of component. And, btw, it has *very* dangerous attack vectors.
For all these things (and because we wanna support this amazing project) we are gonna give a small talk about this bug, its attack vectors and its exploitation (Core Impact already counts with a working multiversion exploit) today, on the upcoming Open Security Jam 2010 as an event of the La Fabrica de Inventos, the first BsAs. Hackerspace.
Hope to see some of you there.
Oh, another little thing! This advisory was released as “User Release”. That means that Apple still didn’t patched it. Although it was reported to apple almost 3 months ago.
I suggest you to read the timeline. I think this was the right thing to do. Apple likes to establish dates that is not going to honor and.. to be honest, it looks like some kind of power demonstration technique to me.
And… they might not have *that* power.
Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch
1. Advisory Information
Title: Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch
Advisory Id: CORE-2010-0825
Advisory URL: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch
Date published: 2010-11-08
Date of last update: 2010-11-08
Vendors contacted: Apple
Release mode: User release
2. Vulnerability Information
Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1797
Bugtraq ID: N/A
3. Vulnerability Description
The Apple Type Services is prone to memory corruption due a sign mismatch vulnerability when handling the last offset value of the CharStrings INDEX structure.
This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing a embedded malicious CFF font (Compact Font Format ).
This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).
4. Vulnerable packages
* Apple Mac OS X v10.5.x
5. Solutions and Workarounds
According to information provided to us by Apple, a patch for this fix has already been developed. Apple provided us a release date for this patch in two opportunities but then failed to meet their our deadlines without giving us any notice or explanation.
Apple Mac OSX 10.6 is not affected by this vulnerability, upgrading to this version is highly recommed when possible.
This vulnerability was discovered and researched by Anibal Sacco and Matias Eissler, from Core Security Technologies. Publication was coordinated by Fernando Russ and Pedro Varangot.
7. Technical Description
When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure.
This could be triggered in different ways:
* When trying to make a thumbnail of the file
* When trying to open the file with the Preview app
* Serving the file in a web server and tricking the user to click on it.
* Embedded in an email (if handled by Mail.app)
This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution.
At [00042AFA] we can see how the value obtained from the file is sign extended prior to be passed to the function loc_370F0. Inside this function this value will be used as the size parameter of memcpy:
00042AF2 movsx eax, word ptr [edx+5Eh] 00042AF6 mov [esp+0Ch], eax 00042AFA movsx eax, word ptr [esi+4] 00042AFE mov [esp], edi 00042B01 mov [esp+8], eax 00042B05 mov eax, [ebp-2Ch] 00042B08 mov [esp+4], eax 00042B0C call loc_370F0
An attacker could take advantage of this condition by setting a negative offset value (0xfffa) in the file that will be converted to a DWORD without enough validation leading to a memcpy of size 0xfffffffa.
This vulnerability results in arbitrary code execution.
8. Report Timeline
* 2010-08-26: Vendor contacted, a draft of this advisory is sent and September 28th is proposed as a coordinated publication date. Core remarks that since this is a variation of a publicly disclossed vulnerability it may have already been discovered by other security researchers like vulnerability research brokers or independent security researchers.
* 2010-08-28: The Apple Product Security team acknowledges the report, saying that they were able to reproduce the issue in Mac OS X 10.5 but not in Mac OS X 10.6, they also said that the deadline for September 28th will be imposible to meet.
* 2010-08-30: Core informs Apple that there is no problem changing the publication date for the report, whenever the new publication date remains reasonable. Also, Core asks for a tentive timeframe for the fix, and confirm that Mac OS X 10.6 does not seem to be affected.
* 2010-08-31: Apple acknowledges the comunication informing the publication timing, and state that they are still trying to determine the most appropiate timeframe.
* 2010-09-28: Core asks the vendor for an update regarding this issue. Also, Core asks for a specific timeframe for the fix, and sets October 18th as tentative publication date.
* 2010-09-28: Apple acknowledges the comunication informing that this issue will be fixed in the next security update of Mac OS X 10.5, which is tentatively scheduled for the end of October without a firm date of publication.
* 2010-08-31: Apple asks Core about credit information for the advisory.
* 2010-09-28: Core acknowledges the comunication sending the credit information for this report.
* 2010-10-20: Core asks Apple for a firm date for the release of this securiry issue since the initial propossed timeframe of October 18th is due.
* 2010-10-22: Apple acknowledges the comunication informing that the publication date is scheduled to the week of October 25th. Also, Apple notifies that the assigned identifier for this vulnerability is CVE-2010-1797.
* 2010-11-01: Core asks Apple for a new schedule for the publication, since there was no notice of any Apple security update during the week of October 25th.
* 2010-11-01: Apple acknowledges the communication informing that the publication date was rescheduled to the middle of the week of November 1st.
* 2010-11-03: Core informs Apple that the publication of this advisory was scheduled to Monday 8th, taking into account the last communication this is a final publication date. Core also informs that the information about how this vulnerability was found and how it can be exploited will be discussed in a small infosec related local event in Buenos Aires city.
* 2010-11-08: Core publishes advisory CORE-2010-0825.
10. About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.