-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Apple iPhone OS AudioCodecs Heap Buffer Overflow Advisory ID: TKADV2009-007 Revision: 1.0 Release Date: 2009/09/09 Last Modified: 2009/09/09 Date Reported: 2009/04/05 Author: Tobias Klein (tk at trapkit.de) Affected Software: iPhone OS 1.0 through 3.0.1 iPhone OS for iPod touch 1.1 through 3.0 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.apple.com/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2009-2206 Patch development time: 158 days ====================== Vulnerability Details: ====================== The iPhone OS AudioCodecs library contains a heap buffer overflow vulnerability while parsing maliciously crafted AAC or MP3 files. The vulnerability may be exploited by an attacker to execute arbitrary code in the context of an application using the vulnerable library. One attack vector are iPhone ringtones with malformed sample size table entries. It was successfully tested that iTunes uploads such malformed ringtones to the phone. ================== Technical Details: ================== Vulnerable library: /System/Library/Frameworks/AudioToolbox.framework/AudioCodecs Vulnerable function: ACTransformerCodec::AppendInputData() Disassembly of the vulnerable function: [..] __text:3314443C LDR R3, [R5,#0xA8] __text:33144440 LDR R2, [R5,#0xA4] __text:33144444 ADD R3, R3, #1 __text:33144448 ADD R2, fp, R2 __text:3314444C STR R3, [R5,#0xA8] __text:33144450 MOV R3, #0 __text:33144454 STMIA IP, {R2,R3} [1] __text:33144458 MOV R3, #0 __text:3314445C STR R3, [IP,#8] [2] __text:33144460 LDR R3, [SP,#0x4C+sample_size] [3] __text:33144464 STR R3, [IP,#0xC] [4] __text:33144468 ADD IP, IP, #0x10 [5] [..] [1] The values of R2 and R3 are stored into the heap buffer pointed to by IP (R12). R2 contains user controlled data. [2] The value of R3 gets copied into the heap buffer. [3] R3 is filled with user controlled data from the audio file. [4] The user controlled data of R3 gets copied into the heap buffer. [5] The index into the heap buffer (pointed to by IP) gets incremented. This code snippet gets executed in a loop. As there is no bounds checking of the heap buffer pointed to by IP (R12) it is possible to cause an out of bounds write (heap buffer overflow). ========= Solution: ========= Upgrade to iPhone OS 3.1 or iPhone OS 3.1.1 for iPod touch. ==================== Disclosure Timeline: ==================== 2009/04/05 - Apple Product Security Team notified 2009/04/05 - Received an automated response message 2009/04/07 - Reply from Apple 2009/06/05 - Status update request sent to Apple 2009/06/05 - Apple confirms the vulnerability 2009/08/17 - Status update by Apple 2009/09/05 - Status update by Apple 2009/09/09 - New iPhone OS released by Apple 2009/09/09 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] http://support.apple.com/kb/HT3860 [REF2] http://www.trapkit.de/advisories/TKADV2009-007.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2009 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFKqB4rkXxgcAIbhEERAik4AKD5gWG/GvB9bLQojJpaLhTVlfpj4gCfSJ9i nVSlzUd5NozllFGeI5rCboc= =B2cm -----END PGP SIGNATURE-----