[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apple CoreGraphics (Preview) Memory Corruption Vulnerability - CVE-2010-1801

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Apple CoreGraphics (Preview) Memory Corruption Vulnerability - CVE-2010-1801
From: Rodrigo Branco <rbranco@xxxxxxxxxxxxxx>
Date: Thu, 26 Aug 2010 05:30:16 -0700

Dear List,


I'm writing on behalf of the Check Point Vulnerability Discovery Team to 
publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Apple CoreGraphics (Preview) Memory Corruption when parsing PDF files
CVE-2010-1801


INTRODUCTION

Apple Preview.app is the default application used in Apple MacOS systems in 
order to visualize PDF files and does not properly parse PDF files, which leads 
to memory corruption when opening a malformed file with an invalid size on 
JBIG2 structure at offset 0x2C1 as in PoC Repro1.pdf or offset 0x2C5 as in PoC 
Repro2.pdf (both values trigger the same vulnerability).

This problem was confirmed in the following versions of Apple Preview and 
MacOS, other versions may be also affected.

Apple Mac OS X 10.5.8 (Server as well)
Apple Mac OS X 10.6.2 (Server as well)
Apple Mac OS X 10.6.3 (Server as well)
Apple Mac OS X 10.6.4 (Server as well)

CVSS Scoring System

The CVSS score is: 9
        Base Score: 10
        Temporal Score: 9
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:POC/RL:U/RC:C


TRIGGERING THE PROBLEM

This vulnerability can be triggered by creating an invalid JBIG2 structure in 
two different ways.

The problem is triggered by PoCs available to interested parts which causes 
invalid memory access in all the refered versions.


DETAILS


Changing offset 0x2C1:

0xdee8600 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3764>:     xor    
%esi,%esi 
0xdee8602 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3766>:     mov    
-0x7c(%ebp),%edx
0xdee8605 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3769>:     mov    
-0x118(%ebp),%eax
0xdee860b <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3775>:     mov    
-0x7c(%ebp),%ecx
0xdee860e <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3778>:     inc    %edx 
0xdee860f <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3779>:     cmp    
0x8(%eax),%ecx
0xdee8612 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3782>:     jae    
0xdee861a <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3790>
0xdee8614 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3784>:     mov    
0xc(%eax),%eax
0xdee8617 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3787>:     mov    
%esi,(%eax,%edi,1) <----- Crash

(gdb) i r $esi $eax $edi
esi            0xc79e860        209315936
eax            0x0      0
edi            0x0      0

(gdb) bt
#0  0x0dee8617 in JBIG2Stream::readSymbolDictSeg ()
#1  0x0dee4f0f in JBIG2Stream::readSegments ()
#2  0x0dee4b5e in JBIG2Stream::reset ()
#3  0x0dee499b in read_bytes ()
#4  0x96d33f32 in jbig2_filter_refill ()
#5  0x96a4b56c in CGPDFSourceRefill ()
#6  0x96a4b402 in CGPDFSourceRead ()


Changing offset 0x2C5:

0xdeb52dc <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2960>:     inc    %esp
0xdeb52dd <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2961>:     and    $0x4,%al
0xdeb52df <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2963>:     add    
%al,(%eax)
0xdeb52e1 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2965>:     add    
%al,(%eax)
0xdeb52e3 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2967>:     mov    
%edx,(%esp)
0xdeb52e6 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2970>:     call   
0xdeb2a96 <_ZN11JBIG2Stream17readGenericBitmapEiiiiiiP11JBIG2BitmapPiS2_i>
0xdeb52eb <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2975>:     mov    
-0x94(%ebp),%ecx
0xdeb52f1 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2981>:     mov    
%eax,(%ecx) <----- Crash


(gdb) i r $eax $ecx
eax            0xc79b640        209303104
ecx            0x0      0



(gdb) bt
#0  0x0deb52f1 in JBIG2Stream::readSymbolDictSeg ()
#1  0x0deb1f0f in JBIG2Stream::readSegments ()
#2  0x0deb1b5e in JBIG2Stream::reset ()
#3  0x0deb199b in read_bytes ()
#4  0x96d33f32 in jbig2_filter_refill ()
#5  0x96a4b56c in CGPDFSourceRefill ()
#6  0x96a4b402 in CGPDFSourceRead ()
#7  0x96aa3c8f in CGAccessSessionGetChunks ()



CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from 
Check Point Vulnerability Discovery Team (VDT).





Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Prev by Date: Re: DLL hijacking on Linux
Next by Date: XSS vulnerability in CompuCMS
Previous by thread: Details of cisco-sa-20081022-asa security advisory?
Next by thread: XSS vulnerability in CompuCMS
Index(es):
- Date
- Thread