Apple OS X BOM ArchiveHelper .zip Heap Overflow
April 19th, 2006
Apple OS X 10.4.6 and prior
BomArchiveHelper 10.4 (6.3) Build 312
BOMArchiveHelper is the default archive file handler in Mac OS X. It runs as a service that does not have a GUI interface. It is invoked when double clicking on a archived file. A heap overflow vulnerability exists within BOMArchiveHelper which allows for an attacker to cause the application to crash, and or to execute arbitrary code on a targeted host.
When decompressing specially crafted .zip file, the BOMStackPop () function incorrectly parses the malformed data and causes the application to segmentation fault.
Below the crash is triggered on OS X (PPC) 10.4.6 within gdb:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x756e8897
[Switching to process 411 thread 0x3a03]
0x94498c14 in BOMStackPop ()
#0 0x94498c14 in BOMStackPop ()
#1 0x944994e4 in _copyDir ()
#2 0x944ab8fc in _copyFromPKZip ()
#3 0x94499060 in _copyDir ()
#4 0x944ab8fc in _copyFromPKZip ()
#5 0x944aa1ac in _BOMCopierCopyFromPKZip ()
#6 0x9449f270 in BOMCopierCopyWithOptions ()
#7 0x0000c8cc in ?? ()
#8 0x0000c1a0 in ?? ()
#9 0x00007360 in ?? ()
#10 0x00005938 in ?? ()
#11 0x928d46d4 in forkThreadForFunction ()
#12 0x9002b200 in _pthread_body ()
(gdb) disas BOMStackPop
Dump of assembler code for function BOMStackPop:
End of assembler dump.
This issue has been fixed in Security Update 2006-003