受影响系统:
Apple XCode 2.0 - 3.0
不受影响系统:
Apple XCode 3.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30189
CVE(CAN) ID: CVE-2008-2304
Xcode是苹果机器上所使用的开发工具。
Xcode工具中包含有名为Core Image Fun House的示例应用程序,用于处理带有.funhouse扩展名的内容。Funhouse应用没有正确地解析XML数据,如果用户受骗打开了特制的.funhouse文件的话,就可能触发缓冲区溢出。以下是负责解析上述文件的代码:
// render origin handles using AppKit directly
- - (CIImage *)drawPoints:(CIImage *)im
{
...
~ NSString *str, *str2, *localizedParameter;
...
~ else if ([type isEqualToString:@"image"])
~ {
~ // image effect stack element
~ // show an image origin (in its center)
~ CGRect r = [[es imageAtIndex:i] extent];
~ NSPoint offset = [es offsetAtIndex:i];
~ pt.x = offset.x + (r.origin.x + r.size.width * 0.5);
~ pt.y = offset.y + (r.origin.y + r.size.height * 0.5);
~ str = [[es filenameAtIndex:i] stringByAppendingString:@"
center"];
~ [self drawPoint:pt label:str intoContext:cg];
~ }
}
上述代码会调用以下代码:
/*
~ Drawing
*/
// draw an onscreen handle for an image origin, text origin, or filter point
// the handle is a "center symbol" - a circle with crosshairs through it.
// the handle is labelled with the string "str".
// all items are "shadowed"
- - (void)drawPoint:(NSPoint)pt label:(NSString *)str
intoContext:(CGContextRef)cg
{
...
~ char cstr[256];
...
~ if (!movingNow)
~ {
~ [str getCString:cstr]; <-- Vulnerability Exists Here
<*来源:Kevin Finisterre (
dotslash@snosoft.com)
链接:
http://marc.info/?l=bugtraq&m=121580312729455&w=2
http://support.apple.com/kb/HT2352
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://www.milw0rm.com/exploits/6043
建议:
--------------------------------------------------------------------------------
临时解决方法:
* 用[str getCString:cstr maxLength:254]替换有漏洞代码段中的[str getCString:cstr]。
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.apple.com
