Month of Apple Bugs - First Bug Unveiled 240
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
Re:QuickTime runs on Windows too... (Score:5, Informative)
removed, but... (Score:3, Informative)
Re:good thought but I wonder (Score:5, Informative)
Re:QuickTime runs on Windows too... (Score:5, Informative)
-Eric
Re:No problem! (Score:4, Informative)
Doesn't work (Score:3, Informative)
I'm afraid you are incorrect, sir. (Score:2, Informative)
The wireless exploit did [cert.org] apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.
Re:I'm afraid you are incorrect, sir. (Score:5, Informative)
The wireless exploit did apply to Airport cards;
It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.
Comment removed (Score:2, Informative)
Re:Looking for help understanding this. (Score:3, Informative)
It's not calling curl or the shell from memory, it appears (from the description) to be a return-to-libc-attack. I am not an expert on this particular thing, but a return-to-libc attack is where you use a buffer overflow to overwrite the return address of the stack frame. Under normal circumstances, the rtsp URL parser would return to his calling function, but if an overflow overwrites the return address, you can basically rewrite the stack's memory of who called the URL parser in the first place. So, instead of returning to where Quicktime called it, your computer can be tricked into returning to a different place in memory, like somewhere in libc. Libc has all kinds of dangerous functions, namely system(3), which accepts a string as an argument (which you have also put on the stack with your buffer overflow) and will run an arbitrary program on your computer (like curl, but bash and perl and ruby can do all kinds of damage).
Of note is the fact that this exploit gets around NX, because your payload need not be executable, it merely is a return address and a string to pass into libc. Also of note is that this exploit does not cause privilege escalation; any processes started by the exploit will run under the privileges of the user who clicks on the file, and you will still get a sudo-dialog if the sploit tries to do things as wheel.
If I am misreading this exploit, please correct me. They say "arbitrary code execution" in the summary.