BID:22249 - Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

BID:22249

Info

Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

Bugtraq ID:	22249
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-0464
Remote:	Yes
Local:	No
Published:	Jan 25 2007 12:00AM
Updated:	Nov 15 2007 12:40AM
Credit:	LMH is credited with the discovery of this issue.
Vulnerable:	Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple CFNetwork 129.19

Not Vulnerable:	Apple Mac OS X Server 10.4.11 Apple Mac OS X 10.4.11

Discussion

Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

Apple CFNetwork Framework is prone to a denial-of-service vulnerability.

Attackers may exploit this issue by issuing a maliciously designed HTTP response to a client application that uses the vulnerable CFNetwork API.

Successful exploits will result in denial-of-service conditions within client applications.

CFNetwork 129.19 on Mac OS X 10.4.8 is vulnerable to this issue.

Exploit / POC

Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim to issue an HTTP request to a malicious CFNetwork server.

The following exploits are available:

/data/vulnerabilities/exploits/MOAB-25-01-2007.rb
/data/vulnerabilities/exploits/MOAB-25-01-2007.c

Solution / Fix

Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

Apple Mac OS X 10.4.1

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.10

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.2

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.3

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.4

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.5

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.6

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.7

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.8

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

Apple Mac OS X 10.4.9

Apple Mac OS X 10.4.11 Combo Update (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg

Apple Mac OS X 10.4.11 Combo Update (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat= 1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg

References

Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service Vulnerability

References:

Introduction to CFNetwork Programming Guide (Apple)
Vendor Home Page (Apple)
MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service (LMH)