[CORE-2010-0825] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch Nov 08 2010 09:27PM
CORE Security Technologies Advisories (advisories coresecurity com)
Hash: SHA1

Core Security Technologies - CoreLabs Advisory

Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch

1. *Advisory Information*

Title: Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch
Advisory Id: CORE-2010-0825
Advisory URL:
Date published: 2010-11-08
Date of last update: 2010-11-08
Vendors contacted: Apple
Release mode: User release

2. *Vulnerability Information*

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1797
Bugtraq ID: N/A

3. *Vulnerability Description*

The Apple Type Services is prone to memory corruption due a sign
mismatch vulnerability when handling the last offset value of the
CharStrings INDEX structure.

This vulnerability could be used by a remote attacker to execute
arbitrary code, by enticing the user of Mac OS X v10.5.x to view or
download a PDF document containing a embedded malicious CFF font
(Compact Font Format [1]).

This vulnerability is a variation of the vulnerability labeled as
CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).

4. *Vulnerable packages*

. Apple Mac OS X v10.5.x

5. *Solutions and Workarounds*

According to information provided to us by Apple, a patch for this fix
has already been developed. Apple provided us a release date for this
patch in two opportunities but then failed to meet their our deadlines
without giving us any notice or explanation.

Apple Mac OSX 10.6 is not affected by this vulnerability, upgrading to
this version is highly recommed when possible.

6. *Credits*

This vulnerability was discovered and researched by Anibal Sacco
and Matias Eissler
from Core Security Technologies. Publication was coordinated by Fernando
Russ and Pedro Varangot.

7. *Technical Description*

When loading a PDF with an embedded CFF font a sign mismatch error
exists in ATSServer when handling the last offset value of the
CharStrings INDEX structure.

This could be triggered in different ways:

. When trying to make a thumbnail of the file
. When trying to open the file with the Preview app
. Serving the file in a web server and tricking the user to click on it.
. Embedded in an email (if handled by Mail.app)

This allows to corrupt the process memory by controlling the size
parameter of a memcpy function call allowing an attacker to get code

At [00042AFA] we can see how the value obtained from the file is sign
extended prior to be passed to the function loc_370F0. Inside this
function this value will be used as the size parameter of memcpy:

00042AF2 movsx eax, word ptr [edx+5Eh]
00042AF6 mov [esp+0Ch], eax
00042AFA movsx eax, word ptr [esi+4]
00042AFE mov [esp], edi
00042B01 mov [esp+8], eax
00042B05 mov eax, [ebp-2Ch]
00042B08 mov [esp+4], eax
00042B0C call loc_370F0

- -----/
An attacker could take advantage of this condition by setting a
negative offset value (0xfffa) in the file that will be converted to a
DWORD without enough validation leading to a memcpy of size 0xfffffffa.

This vulnerability results in arbitrary code execution.

8. *Report Timeline*

. 2010-08-26:
Vendor contacted, a draft of this advisory is sent and September 28th is
proposed as a coordinated publication date. Core remarks that since this
is a variation of a publicly disclossed vulnerability it may have
already been discovered by other security researchers like vulnerability
research brokers or independent security researchers.

. 2010-08-28:
The Apple Product Security team acknowledges the report, saying that
they were able to reproduce the issue in Mac OS X 10.5 but not in Mac OS
X 10.6, they also said that the deadline for September 28th will be
imposible to meet.

. 2010-08-30:
Core informs Apple that there is no problem changing the publication
date for the report, whenever the new publication date remains
reasonable. Also, Core asks for a tentive timeframe for the fix, and
confirm that Mac OS X 10.6 does not seem to be affected.

. 2010-08-31:
Apple acknowledges the comunication informing the publication timing,
and state that they are still trying to determine the most appropiate

. 2010-09-28:
Core asks the vendor for an update regarding this issue. Also, Core asks
for a specific timeframe for the fix, and sets October 18th as tentative
publication date.

. 2010-09-28:
Apple acknowledges the comunication informing that this issue will be
fixed in the next security update of Mac OS X 10.5, which is tentatively
scheduled for the end of October without a firm date of publication.

. 2010-08-31:
Apple asks Core about credit information for the advisory.

. 2010-09-28:
Core acknowledges the comunication sending the credit information for
this report.

. 2010-10-20:
Core asks Apple for a firm date for the release of this securiry issue
since the initial propossed timeframe of October 18th is due.

. 2010-10-22:
Apple acknowledges the comunication informing that the publication date
is scheduled to the week of October 25th. Also, Apple notifies that the
assigned identifier for this vulnerability is CVE-2010-1797.

. 2010-11-01:
Core asks Apple for a new schedule for the publication, since there was
no notice of any Apple security update during the week of October 25th.

. 2010-11-01:
Apple acknowledges the communication informing that the publication date
was rescheduled to the middle of the week of November 1st.

. 2010-11-03:
Core informs Apple that the publication of this advisory was scheduled
to Monday 8th, taking into account the last communication this is a
final publication date. Core also informs that the information about how
this vulnerability was found and how it can be exploited will be
discussed in a small infosec related local event in Buenos Aires city.

. 2010-11-08:
Core publishes advisory CORE-2010-0825.

9. *References*

[1] [http://en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format]

10. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:

11. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at

12. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at

Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus