Apple OS X BOM ArchiveHelper .zip Heap Overflow
Release Date:
April 19th, 2006
Severity:
Medium
Vendor:
Apple
Versions Affected:
Apple OS X 10.4.6 and prior
BomArchiveHelper 10.4 (6.3) Build 312
Overview:
BOMArchiveHelper is the default archive file handler in Mac OS X. It runs as a service that does not have a GUI interface. It is invoked when double clicking on a archived file. A heap overflow vulnerability exists within BOMArchiveHelper which allows for an attacker to cause the application to crash, and or to execute arbitrary code on a targeted host.
Technical Details:
When decompressing specially crafted .zip file, the BOMStackPop () function incorrectly parses the malformed data and causes the application to segmentation fault.
Below the crash is triggered on OS X (PPC) 10.4.6 within gdb:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x756e8897
[Switching to process 411 thread 0x3a03]
0x94498c14 in BOMStackPop ()
(gdb) bt
#0 0x94498c14 in BOMStackPop ()
#1 0x944994e4 in _copyDir ()
#2 0x944ab8fc in _copyFromPKZip ()
#3 0x94499060 in _copyDir ()
#4 0x944ab8fc in _copyFromPKZip ()
#5 0x944aa1ac in _BOMCopierCopyFromPKZip ()
#6 0x9449f270 in BOMCopierCopyWithOptions ()
#7 0x0000c8cc in ?? ()
#8 0x0000c1a0 in ?? ()
#9 0x00007360 in ?? ()
#10 0x00005938 in ?? ()
#11 0x928d46d4 in forkThreadForFunction ()
#12 0x9002b200 in _pthread_body ()
(gdb) disas BOMStackPop
Dump of assembler code for function BOMStackPop:
0x94498c08
0x94498c0c
0x94498c14
0x94498c18
0x94498c1c
0x94498c20
0x94498c24
0x94498c28
0x94498c2c
0x94498c30
0x94498c34
0x94498c38
0x94498c3c
0x94498c40
End of assembler dump.
Solution:
This issue has been fixed in Security Update 2006-003
Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com
Related Links:
http://www.security-protocols.com/poc/sp-x25.zip
http://www.apple.com/macosx/