Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15782
HistoryJan 21, 2007 - 12:00 a.m.

MOAB-19-01-2007: Transmit.app ftps:// URL Handler Heap Buffer Overflow

2007-01-2100:00:00
vulners.com
32

Summary

Transmit 3 takes Mac OS X FTP to the next level by making file management easy. You can copy files to or from a server with drag and drop simplicity, or edit HTML code directly on a web server. You can even Preview graphic files on the fly with Transmit. 

Transmit can speak to most any server that understands FTP, SFTP, FTP TLS/SSL, WebDAV, or secure WebDAV. It works great with everything from Mac OS X's built-in FTP server to your iDisk. When dealing with the SFTP protocol, Transmit unfortunately does not allocate enough space when dealing with the string passed on via the URL handler, leading to an exploitable heap-based buffer overflow condition.
Affected versions

Transmit.app versions up to 3.5.5 are affected.
Proof of concept, exploit or instructions to reproduce

The proof of concept uses Javascript to trigger the issue by launching Transmit via an iframe element with a src attribute containing the non-malicious payload.
Debugging information

The following debugging information shows Transmit triggering the issue via the provided Javascript-based proof of concept:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x44434279
[Switching to process 4189 thread 0x8607]
0x900257e2 in flockfile ()
(gdb) i r
eax 0x1938600 26445312
ecx 0x44434241 1145258561
edx 0xb0230768 -1339881624
ebx 0x900107db -1878980645
esp 0xb02305e0 0xb02305e0
ebp 0xb02305f8 0xb02305f8
esi 0x1938600 26445312
edi 0x44434241 1145258561
eip 0x900257e2 0x900257e2 <flockfile+18>
eflags 0x10282 66178
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) back
#0 0x900257e2 in flockfile ()
#1 0x900107f2 in vfprintf ()
#2 0x00190cf3 in PrintF ()
#3 0x00187bc5 in FTPInitialLogEntry ()
#4 0x00187d10 in FTPOpenHost ()
#5 0x00150626 in -[FTPConnectionWorker _connectTo:port:user:password:
initialPath:localPath:redial:listFiles:encoding:] ()
#6 0x90a58c56 in objc_msgSendv ()
#7 0x925f443e in -[NSInvocation invoke] ()
#8 0x9261a433 in -[NSInvocation invokeWithTarget:] ()
#9 0x001611d3 in -[AbstractConnectionWorker workerThreadWithPorts:] ()
#10 0x925ed36c in forkThreadForFunction ()
#11 0x90023d87 in _pthread_body ()

(gdb) x/10 $ebp
0xb02305f8: 0xb0230628 0x900107f2 0x44434241 0x624f746e
0xb0230608: 0x7463656a 0x80040000 0x01148589 0x03010101
0xb0230618: 0x5f0c0101 0x00187b6e
(gdb) x/10 $esp
0xb02305e0: 0x20000000 0x4202a05f 0x00000000 0x00000000
0xb02305f0: 0x0193744b 0x44434241 0xb0230628 0x900107f2
0xb0230600: 0x44434241 0x624f746e

Notes
Exploitation conditions

Given that the buffer overflow is heap-based, stack NX is useless to prevent exploitation for code execution. For heap exploitation techniques, please read the excellent Phrack article by nemo: OS X heap exploitation techniques. This issue can be abused via different vectors, such as Javascript, Flash movies, etc.
Workaround or temporary solution

Disable the ftps:// URL handler via RCDefaultApp.