Tuesday, February 02, 2010

iPhone OS and Mac OS X Stack Buffer Overflow

My second security advisory in 2010 (TKADV2010-002) describes the details of a stack buffer overflow I found in CoreAudio of Apple's iPhone OS and Mac OS X. The bug can be triggered by playing a maliciously crafted mp4 audio file. Example attack vectors on the iPhone are MobileSafari and malicious ringtones.

Crashdump details:

[..]
Process:         mediaserverd [17]
Path:            /usr/sbin/mediaserverd

..

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x41414140

..

Unknown thread crashed with ARM Thread State:
    r0: 0x6474613f    r1: 0x01380c40      r2: 0x380c561c      r3: 0x0000010d
    r4: 0x41414141    r5: 0x41414141      r6: 0x41414141      r7: 0x41414141
    r8: 0x41414141    r9: 0x00181494     r10: 0x41414141     r11: 0x41414141
    ip: 0x00818000    sp: 0x01380c00      lr: 0x3072d454      pc: 0x41414140
  cpsr: 0x60000030
[..]