full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] n.runs-SA-2008.005 - Apple

[Full-disclosure] n.runs-SA-2008.005 - Apple Inc. - CoreServices Framework’s CarbonCore Framework - Arbitrary Code Execution (remote)

From: <security_at_nospam>
Date: Fri Aug 01 2008 - 17:29:59 GMT
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.005 01-Aug-2008
Vendor: Apple Inc., http://www.apple.com Affected Products: CoreServices Framework’s CarbonCore Framework (Used by: i.e. Safari, Mail) Affected Platforms: Mac OS X v10.4.11 Mac OS X Server v10.4.11 Mac OS X v10.5.4 Mac OS X Server v10.5.4 Vulnerability: Arbitrary Code Execution (remote) Risk: CRITICAL

Vendor communication:

   2008/03/07 Initial notification to Apple Inc. n.runs AG has found a considerable amount of vulnerabilities in Apple most up-to-date Default Systems and Default Installed Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4, and intends to send them in several phases to Apple Inc. 2008/03/08 Apple Inc. replies to n.runs AG providing their public pgp key. Apple Inc. states that the Apple Inc. RFP will be used instead of the n.runs RFP 2008/03/08 n.runs AG responds that vulnerability reporting will only happen under n.runs AG RFP 2008/03/11 Apple Inc. confirms to n.runs AG that the n.runs AG RFP is aligned to their RFP, and that n.runs may continue with further communication and bug reporting    2008/03/11 n.runs AG sends PoCs for various issues to Apple Inc.    2008/03/11 Apple Inc. acknowledges the PoCs, but has issues reproducing some of the vulnerabilities. 2008/03/12 n.runs AG sends more reliable PoCs along with detailed reproduction steps. 2008/03/24 Apple Inc. sends a status report regarding the vulnerabilities reported by n.runs AG 2008/03/30 n.runs AG thanks Apple Inc. for the status update and apologises for not being more responsive during the CanSecWest time-frame. 2008/03/31 Apple Inc. sends a second status update and provides a link to where the credits will appear (http://support.apple.com/kb/HT1222) 2008/04/01 n.runs AG acknowledges the update and sends a second set of vulnerabilities and PoC based on the good and frequent communications that n.runs AG has had with Apple Inc. so far. 2008/04/01 Apple Inc. thanks n.runs AG for the new PoC, acknowledges them and includes a status report. Some of the issues are reported to be already known to them and/or discovered internally previously to n.runs AG reporting. Apple Inc. also informs that Sergio’s name and company has been added to their system to track credit information for each of the security issues, and provides the Radar IDs assigned to each of them. Apple mentions further issues when trying to reproduce some of the vulnerabilities. 2008/04/01 n.runs AG thanks for the quick response and also clarifies that n.runs AG expects, as described in the RFP, to be credited for all the vulnerabilities reported to Apple Inc. - all of which affect the most up-to-date products available to the public - whether they are internally known to Apple Inc or not. 2008/04/03 Apple Inc. replies: “Yes, that's our policy: all reporters of non publicly known security bugs get credit.” 2008/05/23 n.runs AG reports another vulnerability and requests a status update for the previously reported vulnerabilities 2008/05/29 Apple Inc. sends a status report and asks how n.runs would like to be credited, if there is some specific format.
   2008/05/29 n.runs AG sends the requested information to Apple Inc.    2008/05/31 Apple Inc. sends the status report for the last reported issue, along with its Radar ID. 2008/07/10 n.runs AG requests a status update for the issues reported to Apple Inc. 2008/07/11 Apple Inc. sends the status report. Apple informs n.runs AG that some of the vulnerabilities had already been fixed, for which an update had been released some time ago. Apple Inc. also mentions that one of the vulnerabilities was found through internal security testing; consequently no credit was given, but that would be fixed. Apple Inc. requests the format for the credits that n.runs AG would like to have. 2008/07/13 n.runs AG replies with the following statement: “As I [Sergio Alvarez] said and you agreed in my first e-mails, before sending any of my findings, whether you found them internally or somebody else reported the same bugs that I'm reporting, you (Apple) have to credit me for my findings for the simple reason that I'm reporting them to you instead of releasing them to the public while the bugs are not fixed. That said, I've checked all the credits given in "iPhone 2.0 and iPod touch 2.0" (http://support.apple.com/kb/HT2351) and the ones given in "QuickTime 7.5" (http://support.apple.com/kb/HT1991), and I haven't been credited in any of them. This is a clear violation of our RFP. If by Monday, July 14th 2008 the proper credits are not given to me, I'll release all the vulnerabilities and bugs that I've reported to you and also the ones I didn't report yet by Tuesday, July 15th 2008.” 2008/07/15 Apple Inc. asks n.runs AG not to make their findings public and also publishes the credits for one of the issues reported. Apple also provides a status report for the previous findings. 2008/07/15 n.runs AG provides further use-cases and attack vectors information to Apple Inc. 2008/07/23 Apple Inc. creates a new security ID for the use-cases and attack vectors reported as a design issue to fix. 2008/07/23 n.runs thanks Apple Inc. for the feedback and asks for a status report update 2008/08/01 Apple Inc. notifies n.runs AG of the imminent release of an update and sends the related advisory and credits. (The update and credits were already available at the time n.runs AG read the email sent by Apple Inc.)    2008/08/01 n.runs AG releases this advisory


Carbon is a set of C APIs offering developers an advanced user interface toolkit, event handling, access to the Quartz 2D graphics library, and multiprocessing support. Developers have access to other C and C++ APIs, including the OpenGL drawing system and the Mach microkernel.

CarbonCore gathers together a number of lower-level Mac OS Toolbox managers. Some of these are deprecated but essential to porting to Carbon.

CarbonCore includes the old Device Manager, Date and Time Utilities, the Finder interface, Mixed Mode, CFM, the Thread Manager, the Collection Manager, the Script Manager, and more. Most of the Toolbox defines are in here.


A remotely exploitable vulnerability has been found in the file name parsing code.

More specifically, passing a long file name to the CarbonCore framework file management API will trigger a stack buffer overflow.


This problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerability. n.runs AG illustrated the exploitation using Safari and Mail - both present on a standard OS X installation - to demonstrate the risks. The attack surface is however not limited to these two applications: any software component that makes use of the CarbonCore framework may allow arbitrary code execution. The vulnerability is present in Apple CarbonCore Framework prior to the update released on Aug 1st, 2008.


The vulnerability was reported on Apr 1st, 2008 and Apple Security Update has been issued to solve this vulnerability on Aug 1st, 2008. For detailed information about the fixes, follow the link in the references section [1] of this document.

Bug found by Sergio ‘shadown’ Alvarez of n.runs AG.

[1] http://support.apple.com/kb/HT2647

This Advisory and Upcoming Advisories:

Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php

Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/