DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' Author: Kevin Finisterre Vendor(s): http://www.apple.com Product: 'iLife 06 (?)' References: http://www.digitalmunition.com/DMA[2007-0104a].txt http://www.apple.com/ilife/iphoto/features/photocasting.html http://projects.info-pull.com/moab/MOAB-04-01-2007.html Description: Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, and cooler than ever before. It adds eye-opening features to the ones you already love, including Photocasting, support for up to 250,000 photos, easy publishing to the web, special effects, and new custom cards and calendars. In essence iPhoto lets you spread smiles far and wide. As easily as you can create a new photo album you can share it with friends and family thousands of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to share albums with anyone, anywhere. Say you have new photos of little Johny Pwnerseed. Place the photos you'd like to share in an album called "Johny Pwnerseed's Latest Pics.", then click "Photocast this Album". iPhoto publishes the album, and others can subscribe to it by clicking a link in an email you send. But here's where the real fun begins. If you create a malformed XML file you can simulate the photocasting functionality in iPhoto 6 and use it to trigger a format string vulnerability. Once Aunt Sophia subscribes, the fake photos feed is automatically download into a "Johny Pwnerseed's Latest Pics" album that instantly triggers a format string write via %n. We're talking beautiful, full-res pwnage. Aunt Sophia is pretty much screwed if you are able to properly format your payload. %x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%n.%n.%n.%n.%n.%n Welcome to Pwndertino! http://www.digitalmunition.com/digital_munitions_detonator.jpg Host Name: Aunt-Sophias-computer Date/Time: 2006-12-04 19:52:51.035 -0500 OS Version: 10.4.8 (Build 8L2127) Report Version: 4 Command: iPhoto Path: /Applications/iPhoto.app/Contents/MacOS/iPhoto Parent: WindowServer [83] Version: 6.0.5 (6.0.5) Build Version: 2 Project Name: iPhotoProject Source Version: 3160000 PID: 438 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00389ddc Thread 0 Crashed: 0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976 1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504 2 com.apple.CoreFoundation 0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018 3 com.apple.CoreFoundation 0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122 4 com.apple.Foundation 0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162 5 com.apple.Foundation 0x92678e6c +[NSString localizedStringWithFormat:] + 129 6 com.apple.iPhoto 0x0002ae3a 0x1000 + 171578 7 com.apple.iPhoto 0x0031298f 0x1000 + 3217807 Workaround: Unregister the iphoto:// URL handler with RCDefaultsApp Check out Landon's website... he has been on the ball the last few days. http://landonf.bikemonkey.org/ He has also set aside a google group for MOAB issues. http://groups-beta.google.com/group/moabfixes?hl=en http://www.apple.com/support/security/ http://docs.info.apple.com/article.html?artnum=61798