A Nonny Moose Posted January 4, 2007 Share Posted January 4, 2007 Again, it's a QuickTime problem and not solely an OS X problem. Link to comment Share on other sites More sharing options...
wow Posted January 4, 2007 Author Share Posted January 4, 2007 (edited) And here we have number 4 this time OSX specific Summary Vendor (Apple) provides the following description of the software: Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, and cooler than ever before. It adds eye-opening features to the ones you already love, including Photocasting, support for up to 250,000 photos, easy publishing to the web, special effects, and new custom cards and calendars. In essence iPhoto lets you spread smiles far and wide. As easily as you can create a new photo album you can share it with friends and family thousands of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to share albums with anyone, anywhere. Say you have new photos of little Johnny Pwnerseed. Place the photos you'd like to share in an album called "Johnny Pwnerseed's Latest Pics.", then click "Photocast this Album". iPhoto publishes the album, and others can subscribe to it by clicking a link in an email you send. And there the fun begins. By creating a crafted iPhoto photocast XML feed, a malicious user (in this example, infamous Johnny Pwnerseed) could abuse a format string vulnerability in the handling of the "title" element, potentially leading to a remote arbitrary code execution condition. Once Aunt Sophia subscribes, the malicious feed is automatically downloaded into a "Johnny Pwnerseed's Latest Pics" album that instantly triggers the issue. Affected versions This issue has been verified in iPhoto 6.0.5 (316). Previous versions supporting the photocast features might be affected as well. Proof of concept, exploit or instructions to reproduce The provided proof of concept launches a fake HTTP service which will serve the XML payload to any iPhoto user connecting. If the user-agent isn't iPhoto, it will send garbage instead. For a more elaborate POC, you can modify it to take iPhoto version into account. Requires a working Ruby interpreter and capability to use the port 80 (as iPhoto apparently rejects any other port). $ sudo ruby bug-files/MOAB-04-01-2007.rb 80 ++ Starting fake HTTP server at port 80. ++ iPhoto 6.0.5 user connected (::1), sending payload (570 bytes). (...) -- User connected (127.0.0.1) but not running iPhoto, sending {censored}. Alternatively, you can serve the RSS on your own, for distributing the payload from another web server or location of choice. Edited January 4, 2007 by wow Link to comment Share on other sites More sharing options...
bofors Posted January 5, 2007 Share Posted January 5, 2007 Again, it's a QuickTime problem and not solely an OS X problem. So what? I certainly am not adopting the Window's "standard" for security. Link to comment Share on other sites More sharing options...
A Nonny Moose Posted January 5, 2007 Share Posted January 5, 2007 Well, when someone talks about "destroying the perception of invulnerablility" I would think they would want to have 30 OS X attacks instead of 30 hybrid QuickTime attacks. Link to comment Share on other sites More sharing options...
wow Posted January 5, 2007 Author Share Posted January 5, 2007 I dont see the differnce between 30 hacks that works on xp and osx and 30 hacks that work on osx and not xp. 30 hacks is 30 hacks to me and 30 hacks to many. Link to comment Share on other sites More sharing options...
bofors Posted January 5, 2007 Share Posted January 5, 2007 Well, when someone talks about "destroying the perception of invulnerablility" ... We certainly do not want to be complacent about security on OS X. The only problem with this sort of thing is that idiots (err... Windows users) out there will misinterpret it to mean that OS X is insecure. But that is a small price to pay to maintain OS X security, besides there will always be idiots and lots of them at that. Link to comment Share on other sites More sharing options...
jrsdead Posted January 6, 2007 Share Posted January 6, 2007 Bug number 5 affects OS X link This is definitely not good especially as this is supposed to be in the wild. So not really a new bug at all then so maybe they really are scraping the bottom of the barrel already. Summary of the bug below jrsdead Summary Apple DiskManagement.framework is the back-end for the ' diskutil' tool, used to perform disk/file system maintenance tasks. One of these tasks, permissions repair, involves the usage of BOM ( Bill Of Materials) files, which declare the default file permissions and owner (among other attributes), on package-basis. A vulnerability in the handling of BOM files allows to set rogue permissions on the filesystem via the 'diskutil' tool. This can be used to execute arbitrary code and escalate privileges. A malicious user could create a BOM declaring new permissions for specific filesystem locations (ex. binaries, cron and log directories, etc). Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges. Permissions available in BOM files aren't validated, and no sanity testing is performed, in order to prevent potentially harmful attributes to be set on the filesystem. This issue is being actively exploited in-the-wild and we would like to thank an anonymous contributor for bringing the 0-day to our attention, taking advantage of this issue. Link to comment Share on other sites More sharing options...
bofors Posted January 6, 2007 Share Posted January 6, 2007 Bug number 5 affects OS X link This is definitely not good especially as this is supposed to be in the wild. So not really a new bug at all then so maybe they really are scraping the bottom of the barrel already. Summary of the bug below So any installer package that is run by an admin. account can potentially grant root privileges to a rogue? I am reading this right? Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges. That sounds pretty serious, it seems like there should be some much tighter limits on what the BOM is allowed to do. Link to comment Share on other sites More sharing options...
A Nonny Moose Posted January 6, 2007 Share Posted January 6, 2007 Haven't we discussed that disk image thingie 10,000 times on here? (note: I'm not trying to sound like a snob here. I'm just saying if they really wanted to try to find OS X bugs, they can do better than doing a Google search if they're worth their weight) Link to comment Share on other sites More sharing options...
bofors Posted January 6, 2007 Share Posted January 6, 2007 Haven't we discussed that disk image thingie 10,000 times on here? I guess I missed it 10,000 times. Since you seem know so much about OS X security, perhaps you could us what you see the major vulnerabilities to be? Other than that "disk image thingie", that is, Link to comment Share on other sites More sharing options...
A Nonny Moose Posted January 6, 2007 Share Posted January 6, 2007 (edited) Again, I'm not trying to be a ninny here (I'm A Nonny, lol). I'm just saying that any idiot can do a Google search for the disk image problem. It's like they're not even trying to get into the bowels of the system and find something wrong. There are tons of Unix-y problems that can plague OS X and they're ignoring those kinds of severe issues and are instead doing Google searches and pointing out QuickTime problems for Windows. Again, if you want to shatter the invulnerability myth (and it is a myth, as no OS is 100% secure) then why the hell aren't these people really trying to do that? Edited January 6, 2007 by A Nonny Moose Link to comment Share on other sites More sharing options...
joe75 Posted January 6, 2007 Share Posted January 6, 2007 Again, I'm not trying to be a ninny here (I'm A Nonny, lol). Link to comment Share on other sites More sharing options...
bofors Posted January 7, 2007 Share Posted January 7, 2007 Ars Technica has a thread covering the MOAB too: http://episteme.arstechnica.com/eve/forums.../m/267006272831 Comments there are a little more professional (but not much). Link to comment Share on other sites More sharing options...
A Nonny Moose Posted January 7, 2007 Share Posted January 7, 2007 OK, this is the one from yesterday. It's a problem with rogue pdf files, but again, any idiot can do a Google search for this one also, it seems. The one from today seems to hit on third party developers instead of trying to dig into the roots of the OS and finding a major bug. Again, this is hardly "shattering the myth of invulnerability" as much as it is someone crying to their mother about how the neighbor kid got the better toy. Link to comment Share on other sites More sharing options...
Recommended Posts