Apple Mac OS X Finder DMG Volume Memory Corruption Vulnerability
BID:21980
Info
Apple Mac OS X Finder DMG Volume Memory Corruption Vulnerability
| Bugtraq ID: | 21980 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-0197 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 09 2007 12:00AM |
| Updated: | Feb 20 2007 08:26PM |
| Credit: | LMH <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
Apple Mac OS X Server 10.4.8 Apple Mac OS X 10.4.8 |
| Not Vulnerable: | |
Discussion
Apple Mac OS X Finder DMG Volume Memory Corruption Vulnerability
Apple Mac OS X Finder is prone to a memory-corruption vulnerability. This issue occurs when the application fails to handle overly long DMG volume names.
Due to the nature of this issue, an attacker may be able to execute arbitrary machine code in the context of the affected application, but this has not been confirmed. Failed exploit attempts result in memory corruption and a crash of the application, denying service to legitimate users.
Finder 10.4.6 on Mac OS X 10.4.8 X86 is vulnerable to this issue; other versions may also be affected.
Apple Mac OS X Finder is prone to a memory-corruption vulnerability. This issue occurs when the application fails to handle overly long DMG volume names.
Due to the nature of this issue, an attacker may be able to execute arbitrary machine code in the context of the affected application, but this has not been confirmed. Failed exploit attempts result in memory corruption and a crash of the application, denying service to legitimate users.
Finder 10.4.6 on Mac OS X 10.4.8 X86 is vulnerable to this issue; other versions may also be affected.
Exploit / POC
Apple Mac OS X Finder DMG Volume Memory Corruption Vulnerability
The following proof-of-concept DMG image demonstrates this issue.
The proof-of-concept code can be used to create a malicious DMG image with a random 255-byte payload that will trigger the condition.
The following proof-of-concept DMG image demonstrates this issue.
The proof-of-concept code can be used to create a malicious DMG image with a random 255-byte payload that will trigger the condition.
Solution / Fix
Apple Mac OS X Finder DMG Volume Memory Corruption Vulnerability
Solution:
The vendor has released fixes to address this issue. Please see the references for more information.
Apple Mac OS X Server 10.4.8
Apple Mac OS X 10.4.8
Solution:
The vendor has released fixes to address this issue. Please see the references for more information.
Apple Mac OS X Server 10.4.8
-
Apple SecUpd2007-002Ti.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13013&cat= 1&platform=osx&method=sa/SecUpd2007-002Ti.dmg -
Apple SecUpd2007-002Univ.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13012&cat= 1&platform=osx&method=sa/SecUpd2007-002Univ.dmg
Apple Mac OS X 10.4.8
References
Apple Mac OS X Finder DMG Volume Memory Corruption Vulnerability
References:
References:
- DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS' (Kevin Finisterre)
- Mac OS X Homepage (Apple)
- DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007 (Kevin Finisterre)
- MOAB-09-01-2007: Apple Finder DMG Volume Name Memory Corruption (LMH)
- Vulnerability Note VU#240880 - Apple Mac OS X Finder DMG volume name buffer over (US-CERT)