MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities

"Comparatively few are demonstrable vulnerabilities, although many are potential vulnerabilities, in the sense that they crash the program and it's hard to demonstrate that the crash is not exploitable." -- Larry the eWook. Contradicting yourself is bad mufu...

• summary
• affected versions
• proof of concept
• debugging
• notes

BACK

• »  back to home

CREDIT

• Discovery: LMH
• Exploit: LMH

POC or EXPLOIT

• »  MOAB-29-01-2007.rb

REFERENCES

• »  CVE-NO-NAME

Summary

The vendor (Apple) provides the following description of Bonjour and iChat:

Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. Bonjour uses industry standard IP protocols to allow devices to automatically discover each other without the need to enter IP addresses or configure DNS servers.

Apple iChat Bonjour functionality is affected by several denial of service flaws. The most simple of them is the lack of throttling for discovery of available contacts (via mDNS queries). iChat will add any advertised _presence._tcp records, without even verifying if some of them already exist (ex. match first or last name, AIM handle, etc). A malicious user could advertise fake records and successfully block iChat users using Bonjour from discovering further peers in the network and having reliable communications.

The other issue can be used remotely to directly cause an exception in the iChat Agent when parsing a crafted TXT key hash. This will instantly cause a SIGTRAP signal to be sent to the process, causing a so-called 'crash'. Further attempts to launch iChat Bonjour functionality again will fail as mDNSResponder keeps the crafted record (and restarting it will be necessary). These particular issues can't be abused for arbitrary code execution.

Note: this should be considered an issue in mDNSResponder as well; iChat isn't involved in the processing of any mDNS service advertisements (although it should definitely throttle presence queries). mDNSResponder stops responding shortly after abuse.

Affected versions

Verified with iChat 3.1.6 (v441), InstantMessage framework v428 on Mac OS X 10.4.8 (8L2127), x86.

Proof of concept, exploit or instructions to reproduce

The exploit provided contains two different methods to conduct a denial of service attack against iChat Bonjour. The first one takes advantage of the lack of throttling for 'presence discovery', and the second method simply broadcasts a crafted TXT keys hash for triggering a NULL pointer dereference. All hosts reachable via Bonjour and running iChat will be knocked out.

$ ruby bug-files/MOAB-29-01-2007.rb 
++ MOAB-29-01-2007: iChat Bonjour Fun
++ Selected target: 0

$ ruby bug-files/MOAB-29-01-2007.rb 1
++ MOAB-29-01-2007: iChat Bonjour Fun
++ Selected target: 1
++ Registering presence 0
(...)
++ Registering presence 411
^C++ Exiting...
            

Note: please don't prank random zealots with it. We would be instantly blamed as the source of the joke, we would see photoshopped and funny Safari screenshots and alleged whowas commands. Last but not least, don't use Chinese SOCKS proxies please, zealots think Shangai is in the US and will blame KF too.

Debugging information

The following debugging information shows iChat Agent during both attacks supported by the provided exploit:

-- via fake record presence advertising denial of service

$ top
(...)
2751 iChatAgent   0.0%  0:03.65   3    69    82  3.17M  5.56M  6.18M   298M

Attaching to program: `.../iChatAgent.app/Contents/MacOS/iChatAgent', process 2733.
Reading symbols for shared libraries ................................... done
0x90009857 in mach_msg_trap ()
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: .../iChatAgent.app/Contents/MacOS/iChatAgent 
^C
Program received signal SIGINT, Interrupt.
0x9001db47 in recvfrom ()

(gdb) x/i $ebx
0x9007b5b6 :  mov    20(%ebp),%esi

(gdb) x/s 0x1100989  
0x1100989:       "Larry Seltzer Snorts Coke"
(gdb) x/s 0x1100989+640
0x1100c09:       "Larry Seltzer Snorts Coke"

MALLOC_TINY   00500000-00600000 [ 1024K] rw-/rwx SM=COW  DefaultMallocZone_0x500000
MALLOC_TINY   01100000-011cf000 [  828K] rw-/rwx SM=COW  DefaultMallocZone_0x500000
MALLOC        01800000-02008000 [ 8224K] rw-/rwx SM=COW  DefaultMallocZone_0x500000

(gdb) back
#0  0x9001db47 in recvfrom ()
#1  0x90032846 in recv ()
#2  0x9006e11e in deliver_request ()
#3  0x9007b690 in DNSServiceQueryRecord ()
#4  0x9101cadc in CFNetServiceMonitorStart ()
#5  0x9268eb72 in -[NSNetService startMonitoring] ()
#6  0x0004eb39 in ?? ()
#7  0x925e9059 in -[NSArray makeObjectsPerformSelector:withObject:] ()
#8  0x0004e9bf in ?? ()
#9  0x9268e49c in _netServiceBrowserDispatchCallBack ()
#10 0x9101c195 in _BrowseReply ()
#11 0x9007affe in handle_browse_response ()
#12 0x9007ae96 in DNSServiceProcessResult ()
#13 0x910164fa in _SocketCallBack ()
#14 0x9083ffef in __CFSocketDoCallback ()
#15 0x9083fd64 in __CFSocketPerformV0 ()
#16 0x90829fd2 in CFRunLoopRunSpecific ()
#17 0x90829b0e in CFRunLoopRunInMode ()
#18 0x92622dc6 in -[NSRunLoop runMode:beforeDate:] ()
#19 0x92622cc2 in -[NSRunLoop run] ()
#20 0x00002808 in ?? ()
#21 0x000026c2 in ?? ()
#22 0x0006535d in ?? ()

-- via crafted TXT record

Starting program: .../iChatAgent.app/Contents/MacOS/iChatAgent 
2007-01-30 05:09:26.483 iChatAgent[2850] *** Uncaught exception:  ***
-[NSCFDictionary setObject:forKey:]: attempt to insert nil value

Program received signal SIGTRAP, Trace/breakpoint trap.
0x9262050b in _NSRaiseError ()

(gdb) back
#0  0x9262050b in _NSRaiseError ()
#1  0x926472cb in +[NSException raise:format:] ()
#2  0x92692131 in _NSDictionaryRaiseInsertNilValueException ()
#3  0x925d55bf in -[NSCFDictionary setObject:forKey:] ()
#4  0x0004ecde in ?? ()
#5  0x0004eb83 in ?? ()
#6  0x9101cfb4 in _QueryRecordReply ()
#7  0x9007b84c in handle_query_response ()
#8  0x9007ae96 in DNSServiceProcessResult ()
#9  0x91039b55 in _SocketCallBack ()
#10 0x9083ffef in __CFSocketDoCallback ()
#11 0x9083fd64 in __CFSocketPerformV0 ()
#12 0x90829fd2 in CFRunLoopRunSpecific ()
#13 0x90829b0e in CFRunLoopRunInMode ()
#14 0x92622dc6 in -[NSRunLoop runMode:beforeDate:] ()
#15 0x92622cc2 in -[NSRunLoop run] ()
#16 0x00002808 in ?? ()
#17 0x000026c2 in ?? ()
#18 0x0006535d in ?? ()
            

Notes

Exploitation conditions

Given that the exploitation vector is Bonjour (and taking into account that it's a broadcasting service), these issues can be abused remotely affecting numerous users given that they can be reached via service advertisements. Pretty much like with wireless device driver exploits, the term 'massive pwnage' can be used in all it's glory.

Bonjour weaknesses and further details will be published soon in a separate document.

Workaround or temporary solution

For instance, either don't use iChat with Bonjour or disable mDNSResponder all the way. You don't want to be (another) nevaR reldA, seriously.

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
$ sudo mv /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist \
/Users/Shared/com.apple.mDNSResponder.plist.BACKUP
			

Copyright © 2006 LMH <lmh [at] info-pull.com>.