Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch



Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch

1.
Advisory Information

Title: Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch
Advisory Id: CORE-2010-0825
Advisory URL: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch

Date published: 2010-11-08
Date of last update: 2010-11-08
Vendors contacted: Apple
Release mode: User release

2.
Vulnerability Information

Class: Input validation error [CWE-20]

Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-4010

Bugtraq ID: N/A

3.
Vulnerability Description

The Apple Type Services is prone to memory corruption due a sign mismatch vulnerability when handling the last offset value of the CharStrings INDEX structure.

This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing a embedded malicious CFF font (Compact Font Format [1]).

This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).

4.
Vulnerable packages

  • Apple Mac OS X v10.5.x

5.
Solutions and Workarounds

According to information provided to us by Apple, a patch for this fix has already been developed. Apple provided us a release date for this patch in two opportunities but then failed to meet their own deadlines without giving us any notice or explanation.

Apple Mac OSX 10.6 is not affected by this vulnerability, upgrading to this version is highly recommended when possible.

For further information about this issue look at the Apple security updates pages:

6.
Credits

This vulnerability was discovered and researched by Anibal Sacco and Matias Eissler, from Core Security Technologies. Publication was coordinated by Fernando Russ and Pedro Varangot.

7.
Technical Description

When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure.

This could be triggered in different ways:

  • When trying to make a thumbnail of the file
  • When trying to open the file with the Preview app
  • Serving the file in a web server and tricking the user to click on it.
  • Embedded in an email (if handled by Mail.app)

This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution.

At [00042AFA] we can see how the value obtained from the file is sign extended prior to be passed to the function loc_370F0. Inside this function this value will be used as the size parameter of memcpy:

    00042AF2 movsx   eax, word ptr [edx+5Eh]
    00042AF6 mov     [esp+0Ch], eax
    00042AFA movsx   eax, word ptr [esi+4]
    00042AFE mov     [esp], edi
    00042B01 mov     [esp+8], eax
    00042B05 mov     eax, [ebp-2Ch]
    00042B08 mov     [esp+4], eax
    00042B0C call    loc_370F0
    

An attacker could take advantage of this condition by setting a negative offset value (0xfffa) in the file that will be converted to a DWORD without enough validation leading to a memcpy of size 0xfffffffa.

This vulnerability results in arbitrary code execution.

8.
Report Timeline

  • 2010-08-26: Vendor contacted, a draft of this advisory is sent and September 28th is proposed as a coordinated publication date. Core remarks that since this is a variation of a publicly disclossed vulnerability it may have already been discovered by other security researchers like vulnerability research brokers or independent security researchers.
  • 2010-08-28: The Apple Product Security team acknowledges the report, saying that they were able to reproduce the issue in Mac OS X 10.5 but not in Mac OS X 10.6, they also said that the deadline for September 28th will be imposible to meet.
  • 2010-08-30: Core informs Apple that there is no problem changing the publication date for the report, whenever the new publication date remains reasonable. Also, Core asks for a tentive timeframe for the fix, and confirm that Mac OS X 10.6 does not seem to be affected.
  • 2010-08-31: Apple acknowledges the comunication informing the publication timing, and state that they are still trying to determine the most appropiate timeframe.
  • 2010-09-28: Core asks the vendor for an update regarding this issue. Also, Core asks for a specific timeframe for the fix, and sets October 18th as tentative publication date.
  • 2010-09-28: Apple acknowledges the comunication informing that this issue will be fixed in the next security update of Mac OS X 10.5, which is tentatively scheduled for the end of October without a firm date of publication.
  • 2010-08-31: Apple asks Core about credit information for the advisory.
  • 2010-09-28: Core acknowledges the comunication sending the credit information for this report.
  • 2010-10-20: Core asks Apple for a firm date for the release of this securiry issue since the initial propossed timeframe of October 18th is due.
  • 2010-10-22: Apple acknowledges the comunication informing that the publication date is scheduled to the week of October 25th. Also, Apple notifies that the assigned identifier for this vulnerability is CVE-2010-1797.
  • 2010-11-01: Core asks Apple for a new schedule for the publication, since there was no notice of any Apple security update during the week of October 25th.
  • 2010-11-01: Apple acknowledges the communication informing that the publication date was rescheduled to the middle of the week of November 1st.
  • 2010-11-03: Core informs Apple that the publication of this advisory was scheduled to Monday 8th, taking into account the last communication this is a final publication date. Core also informs that the information about how this vulnerability was found and how it can be exploited will be discussed in a small infosec related local event in Buenos Aires city.
  • 2010-11-08: Core publishes advisory CORE-2010-0825.
  • 2010-11-11: Apple informs Core that due to a clerical error they used the identifier CVE-2010-1797 for their advisory, instead of CVE-2010-4010.
  • 2010-11-11: Core updates the CVE-ID for this report to CVE-2010-4010.
  • 2010-11-11: Core updates the 'Solutions and Workarounds' section of this advisory.

9.
References

[1] http://en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format

10.
About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11.
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

12.
Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13.
PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Book Demo

Research Blog