OS X 10.4.7 "BOMFileClose()" BOMArchiveHelper Heap Overflow
Release Date:
August 1st, 2006
Severity:
High
Vendor:
Apple
Versions Affected:
Apple OS X 10.4.7 and prior
Overview:
BOMArchiveHelper is the default archive file handler in Mac OS X. It runs as a service that does not have a GUI interface. It is invoked when double clicking on a archived file. A integer overflow vulnerability exists within BOMArchiveHelper which allows for an attacker to cause the application to crash, and or to execute arbitrary code on a targeted host.
Technical Details:
When decompressing a specially crafted .zip file, the BOMFileClose () function incorrectly parses the malformed data and causes the application to segmentation fault which may allow for an attacker to execute arbitrary code on the targeted host.
Below the crash is triggered on OS X (PPC) 10.4.7 within gdb:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xa1b1c1d3
[Switching to process 887 thread 0x3a03]
(gdb) bt
#0 0xffff8aa8 in ___memcpy ()
#1 0x91119e90 in flush_pending ()
#2 0x91119b90 in deflate ()
#3 0x9458f6fc in _finishDeflation ()
#4 0x94586664 in BOMFileClose ()
#5 0x945a0c24 in BOMPKZipFree ()
#6 0x945961dc in _BOMCopierCopyFromPKZip ()
#7 0x9458ad38 in BOMCopierCopyWithOptions ()
Vendor Status:
05/16/2006 - Vendor is notified.
06/05/2006 - Vendor acknowlegdes the flaw.
08/01/2006 - Advisory released.
Solution:
Security Update 2006-004 fixes this issue.
Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com
Related Links:
http://www.security-protocols.com/poc/sp-x32.zip
http://www.apple.com/macosx/