Month of Apple Bugs - Day 5

05 Jan 2007, 19:24 PST

Ever feel like you're watching a game of table tennis? I've never been very good at the game ...

Today's Month of Apple Bugs issue permits a local admin account to gain root access, without any user interaction (ie, an authorization dialog), by exploiting a combination of vulnerable disk permissions and Disk Utility's repair permissions functionality.

When coupled with a remote exploit, such as the Month of Apple Bug's Quicktime RTSP URL Handler vulnerability (patched in the current Moab Ape), today's bug could allow the remote exploit to gain immediate root without any user interaction.

Due to the nature of the bug, a safe runtime patch is not viable without modifying on-disk file permissions.

If you'd still like to protect yourself, the Month of Apple Bugs project provides a temporary work-around in their advisory:

sudo chmod -s /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool

This may have an impact on other Disk Utility functions -- you can reverse the work-around as follows:

sudo chmod +s /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool

Update on the QuickTime Cross-Zone Issue

I'm pleased as punch to report that the terrific WebKit team is looking into the issue.

Darwin ... Ports! Ports!

A number of publications have done the architects of Darwin a disservice by stating that I'm "one of the principal architects of Apple's BSD-based Darwin operating system core". I just want to set the record straight: I originally wrote DarwinPorts (now MacPorts), with Kevin Van Vechten and Jordan Hubbard. Darwin was architected by minds far brighter than my own.

New VLC Release

05 Jan 2007, 01:04 PST

The magnificent VideoLAN team has released 0.8.6a, which fixes the MOAB-reported vulnerability. You can download it from their web site.

I'll be removing the patch for VLC 0.8.6 in tomorrow's APE release.


04 Jan 2007, 23:15 PST

Answers to the most frequently asked questions

Q. Are patches cumulative? Do I need to install more than one APE?

A. The patches are cumulative -- each new version contains all the previous fixes (including improvements and bug fixes), plus the new fix. If a vendor releases a fix, we'll remove the patch from the APE bundle.

Q. When does a patch take effect? How do I know if I'm protected?

A. Application Enhancer will apply new fixes when an application is restarted. If you've just installed Application Enhancer for the first time, I suggest logging in/out, or restarting your computer.

Q. How can I determine what patch version I have installed?

A. The current version is displayed under the APE name in the Application Enhancer preference pane. The version corresponds to the day -- today is January 4th, and the APE version is 4.0.

Q. Do you support Panther? What operating systems are supported?

A. Unfortunately, only Tiger. I don't have the resources or time to test anything other than Mac OS X 10.4.8.

Q. What happens when the vendor (eg, Apple, VLC) releases a fix?

A. All of the patches are keyed to specific software versions, and the patches are applied at runtime -- the on-disk files are never modified. When a new release of the vulnerable software is installed, the patch will not apply itself. The APE can also be removed at any time by clicking the "-" button in the Application Enhancer preference pane.

Q. How can I contribute?

A. You are encouraged to join the MOAB Fixes group.

I'd also like to apologize to everyone whose e-mail I haven't yet been able to answer personally. I promise I'll reply, it may just take me a couple days.

Month of Apple Bugs - Day 4

04 Jan 2007, 22:18 PST

Friends to the Rescue

Today's update was masterfully implemented by Finlay Dobbie, William Carrel, and the members of the MOAB Fixes Google Group.

Finlay solved today's Month of Apple Bugs issue -- a format string vulnerability in iPhoto's Photocast support. His patch guards the -[SubscribedAlbum registerPublishError:withTitle:] method, escaping all occurances of '%' in the title argument. -[SubscribedAlbum registerPublishError:withTitle:] passes the title directly to [NSString localizedStringWithFormat:].

William Carrel has skillfully updated the fix for the Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability to use a whitelist exclusion method -- QuickTime movies will only permit http, https, and ftp URLs in the HREFTrack.

You can download the source, or a pre-built binary. As always, you'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.

Month of Apple Bugs - Day 3

03 Jan 2007, 22:31 PST

Today's Fix

The third issue from the Month of Apple Bugs takes advantage of the interaction between web browsers and the QuickTime Plugin, leading to a cross-site scripting vulnerability.

The vulnerability allows an embedded quicktime movie, located on an external site (eg, an ad server), to execute javascript in the context of the enclosing page. Please note that the current 10.4.8 version of Safari does not appear to execute JavaScript from a QuickTime HREFTrack, and thus does not appear to be susceptible to this attack.

Today's fix involves patching the QuickTime Plugin's rNPN_GetURL() function, which is responsible for asking the browser to load a page. The patch replaces any javascript: URL requests with a javascript alert box that reads: "[MOAB] Blocked a QuickTime JavaScript Call. See for more information."

A huge thanks to both Alexander Strange and Rosyna of Unsanity for doing most of the work to track down the issue. I also owe a big favor to my friend William Carrel, who was kind enough to do a code review of the latest changes, and set up a new MOAB Fixes Google Group.

I'd also like to thank all those who have written kind e-mails, or sent other well wishes. It's very much appreciated.

You can download the source, or a pre-built binary. As always, You'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.

News and Updates

As I mentioned above, William Carrel has set up a MOAB Fixes Google Group, where I will be coordinating bug fixes for the rest of the month.

In addition to the above fix, I've also updated the fix for the QuickTime RTSP issue. I fixed a bug in the argument handling (I miscounted the total number of arguments pushed on the stack), and I've added extra seat belts to ensure that the fix will automatically disable itself upon a new release of the QuickTime Streaming Component.

Cross-zone Vulnerability Update

The astutely observant Aviv Raff noted that the QuickTime vulnerability permits Cross-Zone Scripting, which could allow QuickTime movies to access local reference protocol handlers, and potentially permit remote code execution, in addition to the cross-site scripting aspect we've already patched. Just to be safe, I'll be issuing an update later today with a more restrictive (whitelist-based) protocol filter.

Month of Apple Bugs - Day 2

02 Jan 2007, 20:55 PST

Today's bug from the Month of Apple Bugs is a format string vulnerability in the VLC media player.

The wonderfully responsive and dapper VLC team already has a fix committed, and I'm sure a new release will be forthcoming.

In the meantime, more for completeness than necessity, I've added a fix to the MOAB Ape. The fix is keyed to (and only supports) the latest VLC release (0.8.6) -- the patch will automatically de-activate itself when you update VLC, which you should most certainly eventually do. The patch works by guarding the *_log_handler() callbacks, checking for format string characters before passing the string on.

You can download the source, or a pre-built binary. You'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.

If you'd like to help with tomorrow's MOAB vulnerability please feel free to send me patches or other information. If there's enough interest, I'll fire up a mailing list.

Month of Apple Bugs - Day 1

01 Jan 2007, 22:08 PST

I stumbled across the Month of Apple Bugs today -- a new Mac OS X vulnerability released every day for a month.

Today's vulnerability exploits a stack buffer overflow in the QuickTime Streaming component, and includes a working x86 exploit. More details available here. Short summary: if you visit a malicious web page, a remote attacker can execute code on your machine.

So, part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer. If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out.

You can download the source, or download a pre-built binary. You'll also need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.

I've had one report of the Moab bundle showing up in the Finder as a plain directory. If that occurs, try manually adding the bundle from the Application Enhancer preference pane, in System Preferences (Hit the "+" button).

Technical Details -- How it Works

The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.

It's worth noting that disabling RTSP, as noted elsewhere, is (unfortunately) not necessarily sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.


Please see this page for updates!

Objective-C Substrate Project

12 Sep 2006, 19:25 PDT

For the past few years, I've been fiddling with OpenDarwin's libFoundation in my spare time -- of which there is admitedly very little. For those new to the party, OpenDarwin's libFoundation project was an attempt to rewrite, refactor, and otherwise port the original libFoundation, as written by Ovidiu Predescu, Mircea Oancea, and Helge Hess, to Darwin. The end goals were simple. In order of importance:

The first goal was easily achieved, and surprisingly enough, I've been making some good progress on the second. With OpenDarwin's impending cessation of operation, I decided to set aside a week of my copious vacation time supplied by my generous employer to find OpenDarwin's libFoundation a new home, and tackle some difficult problems, including a unicode-aware NSString. I'm pleased to say that the week was well spent, and the newly christened Objective-C Substrate was the end result.

Read more ...

OpenVPN Auth-LDAP Plugin 2.0 RC1

12 Sep 2006, 18:01 PDT

I'd like to announce the first release candidate of version 2.0 of my LDAP authentication plugin for OpenVPN

This release is a vast improvement on the rudimentary 1.0 plugin -- new features include:

Read more ...

Splat 1.0 Release

19 Jun 2006, 13:49 PDT

Nick Barkas and I released Splat 1.0 today, on behalf of the Three Rings Department of Public Works. If you need to synchronise information with an LDAP directory, Splat provides a great plugin interface. Included with the distribution are plugins to create home directories, write out SSH keys with command restrictions, and write out .forward files.

We use Splat here at Three Rings to distribute SSH keys to all of our servers, allowing us to further erradicate password authentication. Splat can apply filters based on LDAP groups, so we can, for instance, apply a subversion command= restriction only on the subversion server.

Next splat plugins I want to write: