-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Apple iPhone OS and Mac OS X CoreAudio Stack Buffer Overflow Advisory ID: TKADV2010-002 Revision: 1.0 Release Date: 2010/02/02 Last Modified: 2010/02/02 Date Reported: 2009/10/04 Author: Tobias Klein (tk at trapkit.de) Affected Software: iPhone OS 1.0 through 3.1.2 iPhone OS for iPod touch 1.1 through 3.1.2 Mac OS X v10.5.8, Mac OS X Server v10.5.8 Mac OS X v10.6.2, Mac OS X Server v10.6.2 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.apple.com/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2010-0036 Patch development time: 107 days (Mac OS X), 121 days (iPhone) ====================== Vulnerability Details: ====================== iPhone OS: The AudioToolbox library of iPhone OS contains a stack buffer overflow vulnerability while parsing malformed movie header atoms (mvhd). The vulnerability may be exploited by an attacker to execute arbitrary code in the context of an application using the vulnerable library. The specific flaw exists in the handling of the atom size of movie header atoms. Example attack vectors are MobileSafari, the built-in iPod as well as ringtones. Mac OS X: Is also affected by the same vulnerability. ================== Technical Details: ================== Operating system: iPhone OS Vulnerable library: /System/Library/Frameworks/AudioToolbox.framework/AudioToolbox Vulnerable function: MP4AudioStream::ParseHeader() Disassembly of the vulnerable function (iPhone OS 3.1 SDK): [..] __text:000E4508 [1] STR R0, [SP,#0x2A4+var_254] __text:000E450C LDR R1, [R2,#0x28] __text:000E4510 RSB R3, R4, R12 __text:000E4514 ADD R1, R3, R1 ; void * __text:000E4518 [2] LDR R2, [SP,#0x2A4+var_254] ; size_t __text:000E451C MOV R0, R9 ; void * __text:000E4520 [3] BL _memcpy [..] [1] The user-controllable mvhd atom size from the audio file is saved in [SP,#0x2A4+var_254] on the stack. [2] The user-controlled atom size is used as a length value for a memcpy() call. [3] The memcpy() function gets called with the following parameters: memcpy (R0, R1, R2); R0 (dst) = stack buffer R1 (src) = heap buffer that points to user-controllable audio file data R2 (len) = user controllable length This leads to an exploitable stack buffer overflow. ========= Solution: ========= iPhone OS: Upgrade to iPhone OS 3.1.3 or iPhone OS 3.1.3 for iPod touch Mac OS X: Apply Security Update 2010-001 ==================== Disclosure Timeline: ==================== 2009/10/04 - Apple Product Security Team notified 2009/10/04 - Received an automated response message 2009/10/05 - Reply from Apple 2009/10/14 - Status update request sent to Apple 2009/10/15 - Apple confirms the vulnerability 2009/12/16 - Status update by Apple 2010/01/12 - Status update by Apple 2010/01/13 - Status update by Apple 2010/01/19 - Security Update 2010-001 for Mac OS X released by Apple 2010/02/02 - New iPhone OS released by Apple 2010/02/02 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] http://support.apple.com/kb/HT4013 [REF2] http://support.apple.com/kb/HT4004 [REF3] http://www.trapkit.de/advisories/TKADV2010-002.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2010 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFLaIjAkXxgcAIbhEERAlN6AKCLg1e2Zt88TLNOasUUVFHLBpy/vwCbBUii 715y5VIyxHpb643AvyYl/fw= =ZJ6s -----END PGP SIGNATURE-----