This is a multi-part message in MIME format.
--------------070804010801020806010307
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



--------------070804010801020806010307
Content-Type: text/plain; x-mac-type="54455854"; x-mac-creator="74657874";
 name="DMA[2007-0104a].txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="DMA[2007-0104a].txt"

DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com 
Product: 'iLife 06 (?)'
References: 
http://www.digitalmunition.com/DMA[2007-0104a].txt 
http://www.apple.com/ilife/iphoto/features/photocasting.html 
http://projects.info-pull.com/moab/MOAB-04-01-2007.html 

Description:
Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, and cooler than 
ever before. It adds eye-opening features to the ones you already love, including Photocasting, 
support for up to 250,000 photos, easy publishing to the web, special effects, and new custom 
cards and calendars. In essence iPhoto lets you spread smiles far and wide.

As easily as you can create a new photo album you can share it with friends and family thousands 
of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to share albums with 
anyone, anywhere. Say you have new photos of little Johny Pwnerseed. Place the photos you'd like 
to share in an album called "Johny Pwnerseed's Latest Pics.", then click "Photocast this Album". 
iPhoto publishes the album, and others can subscribe to it by clicking a link in an email you 
send.

But here's where the real fun begins. If you create a malformed XML file you can simulate the 
photocasting functionality in iPhoto 6 and use it to trigger a format string vulnerability. Once 
Aunt Sophia subscribes, the fake photos feed is automatically download into a "Johny Pwnerseed's 
Latest Pics" album that instantly triggers a format string write via %n. 

We're talking beautiful, full-res pwnage. Aunt Sophia is pretty much screwed if you are able to 
properly format your payload. 


xmlns:aw="http://www.apple.com/ilife/wallpapers"> 




http://www.digitalmunition.com/digital_munitions_detonator.jpg 





Host Name:      Aunt-Sophias-computer
Date/Time:      2006-12-04 19:52:51.035 -0500
OS Version:     10.4.8 (Build 8L2127)
Report Version: 4

Command: iPhoto
Path:    /Applications/iPhoto.app/Contents/MacOS/iPhoto
Parent:  WindowServer [83]

Version:        6.0.5 (6.0.5)
Build Version:  2
Project Name:   iPhotoProject
Source Version: 3160000

PID:    438
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00389ddc

Thread 0 Crashed:
0   libSystem.B.dylib           0x9000c0c1 __vfprintf + 4976
1   libSystem.B.dylib           0x90100ea9 snprintf_l + 504
2   com.apple.CoreFoundation    0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018
3   com.apple.CoreFoundation    0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122
4   com.apple.Foundation        0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162
5   com.apple.Foundation        0x92678e6c +[NSString localizedStringWithFormat:] + 129
6   com.apple.iPhoto            0x0002ae3a 0x1000 + 171578
7   com.apple.iPhoto            0x0031298f 0x1000 + 3217807

Workaround:
Unregister the iphoto:// URL handler with RCDefaultsApp

Check out Landon's website... he has been on the ball the last few days. 
http://landonf.bikemonkey.org/ 

He has also set aside a google group for MOAB issues. 
http://groups-beta.google.com/group/moabfixes?hl=en 

http://www.apple.com/support/security/ 
http://docs.info.apple.com/article.html?artnum=61798 




--------------070804010801020806010307--