[TKADV2009-007] Apple iPhone OS AudioCodecs Heap Buffer Overflow Sep 14 2009 06:25PM
Tobias Klein (tk trapkit de)
Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
Hash: SHA1

Advisory: Apple iPhone OS AudioCodecs Heap Buffer Overflow
Advisory ID: TKADV2009-007
Revision: 1.0
Release Date: 2009/09/09
Last Modified: 2009/09/09
Date Reported: 2009/04/05
Author: Tobias Klein (tk at trapkit.de)
Affected Software: iPhone OS 1.0 through 3.0.1
iPhone OS for iPod touch 1.1 through 3.0
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://www.apple.com/
Vendor Status: Vendor has released an updated version
CVE-ID: CVE-2009-2206
Patch development time: 158 days

Vulnerability Details:

The iPhone OS AudioCodecs library contains a heap buffer overflow
vulnerability while parsing maliciously crafted AAC or MP3 files. The
vulnerability may be exploited by an attacker to execute arbitrary code in
the context of an application using the vulnerable library.

One attack vector are iPhone ringtones with malformed sample size table
entries. It was successfully tested that iTunes uploads such malformed
ringtones to the phone.

Technical Details:

Vulnerable library:

Vulnerable function:

Disassembly of the vulnerable function:

__text:3314443C LDR R3, [R5,#0xA8]
__text:33144440 LDR R2, [R5,#0xA4]
__text:33144444 ADD R3, R3, #1
__text:33144448 ADD R2, fp, R2
__text:3314444C STR R3, [R5,#0xA8]
__text:33144450 MOV R3, #0
__text:33144454 STMIA IP, {R2,R3} [1]
__text:33144458 MOV R3, #0
__text:3314445C STR R3, [IP,#8] [2]
__text:33144460 LDR R3, [SP,#0x4C+sample_size] [3]
__text:33144464 STR R3, [IP,#0xC] [4]
__text:33144468 ADD IP, IP, #0x10 [5]

[1] The values of R2 and R3 are stored into the heap buffer pointed to by
IP (R12). R2 contains user controlled data.
[2] The value of R3 gets copied into the heap buffer.
[3] R3 is filled with user controlled data from the audio file.
[4] The user controlled data of R3 gets copied into the heap buffer.
[5] The index into the heap buffer (pointed to by IP) gets incremented.

This code snippet gets executed in a loop. As there is no bounds checking
of the heap buffer pointed to by IP (R12) it is possible to cause an out of
bounds write (heap buffer overflow).


Upgrade to iPhone OS 3.1 or iPhone OS 3.1.1 for iPod touch.

Disclosure Timeline:

2009/04/05 - Apple Product Security Team notified
2009/04/05 - Received an automated response message
2009/04/07 - Reply from Apple
2009/06/05 - Status update request sent to Apple
2009/06/05 - Apple confirms the vulnerability
2009/08/17 - Status update by Apple
2009/09/05 - Status update by Apple
2009/09/09 - New iPhone OS released by Apple
2009/09/09 - Release date of this security advisory


Vulnerability found and advisory written by Tobias Klein.


[REF1] http://support.apple.com/kb/HT3860
[REF2] http://www.trapkit.de/advisories/TKADV2009-007.txt


Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key:


Copyright 2009 Tobias Klein. All rights reserved.

Version: PGP
Charset: utf-8


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus