Apple OS X BOM ArchiveHelper .zip Heap Overflow

Release Date:
April 19th, 2006



Versions Affected:
Apple OS X 10.4.6 and prior
BomArchiveHelper 10.4 (6.3) Build 312

BOMArchiveHelper is the default archive file handler in Mac OS X. It runs as a service that does not have a GUI interface. It is invoked when double clicking on a archived file. A heap overflow vulnerability exists within BOMArchiveHelper which allows for an attacker to cause the application to crash, and or to execute arbitrary code on a targeted host.

Technical Details:
When decompressing specially crafted .zip file, the BOMStackPop () function incorrectly parses the malformed data and causes the application to segmentation fault.

Below the crash is triggered on OS X (PPC) 10.4.6 within gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x756e8897
[Switching to process 411 thread 0x3a03]
0x94498c14 in BOMStackPop ()
(gdb) bt
#0 0x94498c14 in BOMStackPop ()
#1 0x944994e4 in _copyDir ()
#2 0x944ab8fc in _copyFromPKZip ()
#3 0x94499060 in _copyDir ()
#4 0x944ab8fc in _copyFromPKZip ()
#5 0x944aa1ac in _BOMCopierCopyFromPKZip ()
#6 0x9449f270 in BOMCopierCopyWithOptions ()
#7 0x0000c8cc in ?? ()
#8 0x0000c1a0 in ?? ()
#9 0x00007360 in ?? ()
#10 0x00005938 in ?? ()
#11 0x928d46d4 in forkThreadForFunction ()
#12 0x9002b200 in _pthread_body ()
(gdb) disas BOMStackPop
Dump of assembler code for function BOMStackPop:
0x94498c08 : mr. r3,r3
0x94498c0c : li r11,0 0x94498c10 : beq- 0x94498c3c
0x94498c14 : lwz r2,8(r3)
0x94498c18 : cmpwi cr7,r2,0
0x94498c1c : ble- cr7,0x94498c3c
0x94498c20 : addi r2,r2,-1
0x94498c24 : lwz r9,0(r3)
0x94498c28 : li r0,0
0x94498c2c : stw r2,8(r3)
0x94498c30 : rlwinm r2,r2,2,0,29
0x94498c34 : lwzx r11,r2,r9
0x94498c38 : stwx r0,r2,r9
0x94498c3c : mr r3,r11
0x94498c40 : blr
End of assembler dump.

This issue has been fixed in Security Update 2006-003

Discovered by:
Tom Ferris

Related Links: :: 1999-2008