Thursday, 25 January 2007

Apple CFNetwork HTTP Response Denial of Service

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 25-01-07
Description:: CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition exploitable by a server sending a crafted response to a client application making use of this API.
Exploit:: The provided proof of concept will listen at the specified port for incoming connections and send back the response necessary to reproduce the denial of service condition on any default CFNetwork-based client.
$ gcc MOAB-25-01-2007.c -o cfnet-http -framework Carbon
$ ruby MOAB-25-01-2007.rb 8080
++ Starting HTTP server at port 8080.
(once ./cfnet-http runs or CFNetwork client connects...)
++ Connected: CFNetwork/129.19
Prevention:: Perform sanity checking of HTTP responses received via CFNetwork API.Wait for Apple to add further checks and fix the _CFNetConnectionWillEnqueueRequests() API.
PoC:: MOAB-25-01-2007.rb and MOAB-25-01-2007.c

No comments: