Web Hosting

BUGS


LINKS

Bugs

# Title Description PoC/Exploit References
30 Multiple Apple Software Format String Vulnerabilities Apple Help Viewer, Safari, iMovie and iPhoto are affected by multiple format string vulnerabilities, related to certain functions from AppKit that have been documented in previous releases. Not required. CVE-NO-NAME
29 Apple iChat Bonjour Multiple Denial of Service Vulnerabilities Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS. MOAB-29-01-2007.rb CVE-NO-NAME
28 Apple crashdump Privilege Escalation Vulnerability crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges. MOAB-28-01-2007.rb CVE-2007-0467
27 Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution. MOAB-27-01-2007.wmv CVE-2007-0466
26 Apple Installer Package Filename Format String Vulnerability Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution. Not necessary CVE-2007-0465
25 Apple CFNetwork HTTP Response Denial of Service CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition. MOAB-25-01-2007.rb
MOAB-25-01-2007.c		 CVE-2007-0464
24 Apple Software Update Catalog Filename Format String Vulnerability Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution. Not necessary. CVE-2007-0463
23 Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition. MOAB-23-01-2007.pct CVE-2007-0462
22 Apple UserNotificationCenter Privilege Escalation Vulnerability UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges. MOAB-22-01-2007.rb CVE-2007-0023
21 System Preferences writeconfig Local Privilege Escalation Vulnerability The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges. MOAB-21-01-2007.rb CVE-2007-0022
20 Apple iChat aim:// URL Handler Format String Vulnerability Apple iChat AIM URI scheme (referred as the 'url handler') handling is affected by a classic format string vulnerability, allowing remote users to cause a denial of service condition or arbitrary code execution. MOAB-20-01-2007.html CVE-2007-0021
19 Transmit.app ftps:// URL Handler Heap Buffer Overflow Transmit does not allocate enough space when dealing with the string passed on via the ftps:// URL handler, leading to an exploitable heap-based buffer overflow condition. MOAB-19-01-2007.html CVE-2007-0020
18 Rumpus Multiple Vulnerabilities rumpusd is vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues. MOAB-18-01-2007.rb CVE-2007-0019
17 Apple SLP Daemon Service Registration Buffer Overflow Vulnerability slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges. MOAB-17-01-2007.rb CVE-2007-0355
16 Multiple Colloquy IRC Format String Vulnerabilities Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution. MOAB-16-01-2007.rb CVE-2007-0344
15 Multiple Mac OS X Local Privilege Escalation Vulnerabilities Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. MOAB-15-01-2007.rb CVE-2007-0345
14 AppleTalk ATPsndrsp() Heap Buffer Overflow Vulnerability The _ATPsndrsp function is vulnerable to a heap-based buffer overflow condition, due to insufficient checking of user input. This leads to a denial of service condition and potential arbitrary code execution by unprivileged users. MOAB-14-01-2007.c CVE-2007-0236
13 Apple DMG HFS+ do_hfs_truncate() Denial of Service Vulnerability A specially crafted HFS+ filesystem in a DMG image can cause the do_hfs_truncate() function to panic the kernel (denial of service), when attempting to remove a file from the mounted filesystem. This issue can't lead to arbitrary code execution, although there's a significant risk of local HFS+ filesystems corruption. MOAB-13-01-2007.dmg.gz CVE-2006-5482 (similar old issue, UFS-based)
12 Apple DMG UFS ufs_lookup() Denial of Service Vulnerability A specially crafted UFS filesystem in a DMG image can cause the ufs_lookup() function to call ufs_dirbad() when a corrupted directory entry is being read, leading to a kernel panic (denial of service). This issue can't be abused for remote code execution. MOAB-12-01-2007.dmg.gz CVE-2007-0267
MOAB-11-01-2007
11 Apple DMG UFS byte_swap_sbin() Integer Overflow Vulnerability The byte_swap_sbin() function, one of the UFS byte swapping routines (this code isn't present in FreeBSD and it's Mac OS X XNU-specific; used for compatibility of filesystem streams between little and big-endian systems) is affected by a integer overflow vulnerability, leading to an exploitable denial of service condition. MOAB-11-01-2007.dmg.gz CVE-2007-0299
MOAB-10-01-2007
10 Apple DMG UFS ffs_mountfs() Integer Overflow Vulnerability The ffs_mountfs() function, part of the UFS filesystem handling code (shared between FreeBSD and Mac OS X XNU) is affected by an integer overflow vulnerability, leading to an exploitable denial of service condition and potential arbitrary code execution. MOAB-10-01-2007.dmg.gz CVE-2006-5679
MOKB-03-11-2006
MOKB-08-11-2006
9 Apple Finder DMG Volume Name Memory Corruption Finder is affected by a memory corruption vulnerability, which leads to an exploitable denial of service condition and potential arbitrary code execution, that can be triggered by DMG images. MOAB-09-01-2007.rb
MOAB-09-01-2007.dmg		 CVE-2007-0197
8 Application Enhancer (APE) Local Privilege Escalation Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges. exploit-of-the-apes.rb CVE-2007-0162
7 OmniWeb Javascript alert() Format String Vulnerability OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution. MOAB-07-01-2007.html CVE-2007-0148
6 Multiple Vendor PDF Document Catalog Handling Vulnerability The current PDF specification is affected by a design flaw, a rogue Pages entry or malicious catalog dictionary could cause a denial of service (memory corruption condition, memory leakage, etc) or potential arbitrary code execution in the reader application. MOAB-06-01-2007.pdf CVE-2007-0104
CVE-2007-0103
CVE-2007-0102
5 Apple DiskManagement BOM Local Privilege Escalation Vulnerability A vulnerability in the handling of BOM files by DiskManagement/diskutil allows to set rogue permissions on the filesystem. This can be used to execute arbitrary code and escalate privileges. MOAB-05-01-2007.rb
MOAB-05-01-2007_cron.rb		 CVE-2007-0117
4 iLife iPhoto Photocast XML title Format String Vulnerability A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution. MOAB-04-01-2007.rb CVE-2007-0051
3 Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution. MOAB-03-01-2007.rb CVE-2007-0059
2 VLC Media Player udp:// Format String Vulnerability A vulnerability in the handling of the udp:// URL handler allows remote arbitrary code execution. VLCMediaSlayer-x86.pl
VLCMediaSlayer-ppc.pl		 CVE-2007-0017
1 Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution. MOAB-01-01-2007.rb CVE-2007-0015

Frequently Asked Questions(FAQ)

The following list of questions and answers aims to provide some information regarding the motives and related facts about the MoAB, such as involved products and disclosure terms. Please check that your question isn't already answered here before attempting to contact us. Any unsolicited e-mail, offensive or non-sense will be ignored, published with details or reported to the proper parties.

  1. Is this an attack, revenge, conspiracy or some kind of evil plot against Apple and the users of Apple products?

    2. Not at all, some of us use OS X on a daily basis. Getting problems solved makes that use a bit more safe each day, for everyone else. Flaws exist, with and without people disclosing them. If we wanted to make business out of this we would be selling the issues and the proper exploit for each one. Thus, business-wise, we are wasting a good cake with this project (although software by Apple isn't really of interest in these terms, except iTunes and other high-profile applications).

  2. But XXX bug is a crash, not an exploit. But XXX is a kernel panic. But XXX is (some gobbledegook).

    3. Shrug. Fortunately this time there will be working exploits for mostly every critical advisory released, thus there will be less room for drama and speculation.

  3. Are Apple products the only one target of this initiative?

    4. Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.

  4. Are the issues being reported to the vendor before public disclosure?

    5. Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end. 'Responsible disclosure' exists when the vendor doesn't deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don't trust Apple on these matters due to the track of incidents and unpleasant situations surrounding their policy on product vulnerability handling.

  5. Does "someone" pay, sponsor or support this? ex. This initiative is influenced by (random software vendor) in order to spread FUD over competitor's products?

    6. Definitely, no way. For conspiracy theories, please watch the X Files.

  6. Why Apple and not (random software vendor)?

    7. We like to play with OS X, we enjoy hate e-mail and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out.

  7. John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?

    8. No worries. It's probably someone begging for attention or PR-brainwashed. Like good old Dirty Harry said...

    De Georgio: You need any help?
    Harry Callahan: Go on out and get some air, fatso.

  8. I'm going to kill you and your dog. And pee in your empty dead skull.

    9. The hardcore bondage club is at the other building. Have a nice day.

  9. What does "pwnie" mean? Doesn't the use of monstrous pony image and pink color, lessen the credibility of this work?

    10. The 'pwnies phenomenon' isn't more than yet another meme or non-sense net-folklore. The original image is done by Jon-Mikel Gates and was sent to Jonathan Coulton. A fellow proposed it to be used for giving a sarcastic / humorous sense to the Apple-related bugs. Probably, the intention was to create the slang word (pink bug) for these issues, given the totally non-sense and immature reaction from so-called Mac fan boys. On the second question, if that, for you, ruins the credibility of this exercise, you're clearly not the audience we're speaking for.

About

This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple. Also, we want to develop and provide tools and documented techniques to aid security research in this platform. If nothing else, we had fun working on it and hope people out there will enjoy the results.

(Lance M. Havok and Kevin Finisterre, 2006).

Press and pressure

What the media and press say about the MoAB:

...and Public Relations (PR) drama:


Disclaimer

Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author(s) be liable for any direct or indirect damages whatsoever result of or in connection with the use or spread of this information, which is distributed for educational and research purposes only. Any use of this information is at the user's own risk.