Application:: Mac OS X
Description:: CFNetwork fails to handle certain HTTP responses properly, causing the
_CFNetConnectionWillEnqueueRequests()function to dereference a NULL pointer, leading to a denial of service condition exploitable by a server sending a crafted response to a client application making use of this API.
Exploit:: The provided proof of concept will listen at the specified port for incoming connections and send back the response necessary to reproduce the denial of service condition on any default CFNetwork-based client.
$ gcc MOAB-25-01-2007.c -o cfnet-http -framework CarbonPrevention:: Perform sanity checking of HTTP responses received via
$ ruby MOAB-25-01-2007.rb 8080
++ Starting HTTP server at port 8080.
(once ./cfnet-http runs or CFNetwork client connects...)
++ Connected: CFNetwork/129.19 le...).
CFNetworkAPI.Wait for Apple to add further checks and fix the
PoC:: MOAB-25-01-2007.rb and MOAB-25-01-2007.c