Vulnerabilities > CVE-2016-1850 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
SceneKit in Apple OS X before 10.11.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family | MacOS X Local Security Checks |
NASL id | MACOSX_10_11_5.NASL |
description | The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.5. It is, therefore, affected by multiple vulnerabilities in the following components : - AMD - apache_mod_php - AppleGraphicsControl - AppleGraphicsPowerManagement - Assistant - ATS - Audio - Captive - CFNetwork - CommonCrypto - CoreCapture - CoreStorage - Crash - Disk - Disk - Driver - Drivers - Drivers - Graphics - Graphics - Graphics - ImageIO - Images - Intel - IOAcceleratorFamily - IOAudioFamily - IOFireWireFamily - IOHIDFamily - Kernel - libc - libxml2 - libxslt - Lock - MapKit - Messages - Multi-Touch - Network - NVIDIA - OpenGL - Proxies - QuickTime - Reporter - SceneKit - Screen - Tcl - Utility Note that successful exploitation of the most serious issues can result in arbitrary code execution. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 91228 |
published | 2016-05-19 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/91228 |
title | Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities |
code |
|
Seebug
bulletinFamily | exploit |
description | ### SUMMARY An exploitable type confusion vulnerability exists in the handling of DAE images on OS X. A crafted DAE document can trigger a type confusion vulnerability which potentially could be exploited to achieve attacker controlled code execution. Vulnerability can be triggered via a saved DAE file delivered by other means. ### TESTED VERSIONS OSX El Capitan - 10.11.4 ### PRODUCT URLs https://developer.apple.com/scenekit/ ### CVSSv3 SCORE 7.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U ### DETAILS This vulnerability is present in the Apple Scene Kit API which is used for all 3D image handling on OS X including most 3rd party 3D applications. There exists a vulnerability inside of Scene Kit in the parsing and handling of DAE images. A specially crafted DAE image file can lead to a type confusion vulnerability and ultimately to control. COLLADA defines an open standard XML schema for exchanging digital assets among various graphics software applications that might otherwise store their assets in incompatible file formats. COLLADA documents that describe digital assets are XML files, usually identified with a .dae (digital asset exchange) filename extension. In the XML it i possible to specify and create custom objects to be used by the renderer. Invalid checking allows a user to pass in an object that doesn't have the proper properties and gets illegally accessed. The inital crash is shown below: ``` RAX: 0x0000000000000000 RBX: 0x000000010072F428 RBP: 0x00007FFF5FBFD160 RSP: 0x00007FFF5FBFD130 o d I t s z a P c RDI: 0x000000010072F428 RSI: 0x00000001007AA702 RDX: 0xFFFFFFFFFFFFFFFF RCX: 0x0000000200000000 RIP: 0x000000010078DC5F R8: 0x0000000126A21FC0 R9: 0x00000001008E8128 R10: 0x00000001008E7AA8 R11: 0x00000001007A9BF6 R12: 0x480006B018E8DF3C R13: 0x0000000126A21FC0 R14: 0xFFFFFFFFFFFFFFFF R15: 0x00000001007AA702 CS: 002B FS: 0000 GS: 0000 ``` SceneKit`(anonymous namespace)::getAttributeIndex: -> 0x10078dc5f <+33>: mov r13, qword ptr [r12 + 0x30]` ``` 0x10078dc64 <+38>: test r13, r13 0x10078dc67 <+41>: je 0x10078dca0 ; <+98> 0x10078dc69 <+43>: xor ebx, ebx 0x10078dc6b <+45>: cmp r13, rbx 0x10078dc6e <+48>: jbe 0x10078dcb2 ; <+116> 0x10078dc70 <+50>: mov rax, qword ptr [r12 + 0x40] 0x10078dc75 <+55>: mov rax, qword ptr [rax + 8*rbx] (lldb) bt * thread #1: tid = 0x720797, 0x000000010078dc5f SceneKit`(anonymous namespace)::getAttributeIndex(daeElement&, char const*) + 33, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) * frame #0: 0x000000010078dc5f SceneKit`(anonymous namespace)::getAttributeIndex(daeElement&, char const*) + 33 frame #1: 0x000000010078edbd SceneKit`daeElement::getID() const + 33 frame #2: 0x000000010041a578 SceneKit`C3DIO_COLLADA_CreateUniqueIDForEntityWithExtraString + 22 frame #3: 0x0000000100413ff0 SceneKit`C3DIO_COLLADA_ReadGeometry(domGeometry*, __C3DLibrary*, __CFArray*, __CFDictionary*, __CFDictionary const*, bool) + 348 frame #4: 0x0000000100415173 SceneKit`C3DIO_COLLADA_ReadGeometryInstance(daeSmartRef<domInstance_geometry>, __C3DLibrary*, __C3DNode*, __CFDictionary const*) + 162 frame #5: 0x000000010042a5ca SceneKit`C3DIO_COLLADA_ReadNode(daeSmartRef<domNode>, __C3DNode*, __C3DLibrary*, __CFDictionary*) + 2056 ``` It is seen that R12 is an out of bounds user controlled value and that this crashing function was called from ReadGeometry assuming the object passed in was a geometry type object. Looking at our DAE file we can see what caused the crash. ``` <node id="Box" name="Box"> <rotate sid="rotateZ">0 0 1 0</rotate> <rotate sid="rotateY">0 1 0 0</rotate> <rotate sid="rotateX">1 0 0 0</rotate> <!-- pointLightShape1 is a light object not a geometry object thus has different properties causing the illegal access --> <instance_geometry url="#pointLightShape1-lib"/> <instance_light url="#ambientLight-lib"/> </node> ``` By looking at the DAE file itself the problem becomes readily apparent. If an attacker was able to shape an object in such a way as to bypass this illegal access and continue on to the virtual call they could gain full remote code execution. ### CRASH INFORMATION ``` Crashed thread log = : Dispatch queue: com.apple.main-thread 0 com.apple.SceneKit 0x000000010be9dc5f (anonymous namespace)::getAttributeIndex(daeElement&, char const*) + 33 1 com.apple.SceneKit 0x000000010be9edbd daeElement::getID() const + 33 2 com.apple.SceneKit 0x000000010bb2a578 C3DIO_COLLADA_CreateUniqueIDForEntityWithExtraString + 22 3 com.apple.SceneKit 0x000000010bb23ff0 C3DIO_COLLADA_ReadGeometry(domGeometry*, __C3DLibrary*, __CFArray*, __CFDictionary*, __CFDictionary const*, bool) + 348 4 com.apple.SceneKit 0x000000010bb25173 C3DIO_COLLADA_ReadGeometryInstance(daeSmartRef<domInstance_geometry>, __C3DLibrary*, __C3DNode*, __CFDictionary const*) + 162 5 com.apple.SceneKit 0x000000010bb3a5ca C3DIO_COLLADA_ReadNode(daeSmartRef<domNode>, __C3DNode*, __C3DLibrary*, __CFDictionary*) + 2056 6 com.apple.SceneKit 0x000000010bb28ae6 C3DIO_COLLADA_LoadScene + 6010 7 com.apple.SceneKit 0x000000010bb3c10f C3DSceneSourceCreateSceneAtIndex + 301 8 com.apple.SceneKit 0x000000010bc31348 -[SCNSceneSource _createSceneRefWithOptions:statusHandler:] + 1056 9 com.apple.SceneKit 0x000000010bc31b20 -[SCNSceneSource _sceneWithClass:options:statusHandler:] + 838 10 com.apple.SceneKit 0x000000010bc31d63 -[SCNSceneSource sceneWithClass:options:statusHandler:] + 39 11 com.apple.Preview 0x000000010b7607dd 0x10b716000 + 305117 12 com.apple.Preview 0x000000010b71b731 0x10b716000 + 22321 13 com.apple.Preview 0x000000010b809fb6 0x10b716000 + 999350 14 libdispatch.dylib 0x00007fff9c53693d _dispatch_call_block_and_release + 12 15 libdispatch.dylib 0x00007fff9c52b40b _dispatch_client_callout + 8 16 libdispatch.dylib 0x00007fff9c53ec1c _dispatch_main_queue_callback_4CF + 1685 17 com.apple.CoreFoundation 0x00007fff8e4a39e9 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9 18 com.apple.CoreFoundation 0x00007fff8e4628dd __CFRunLoopRun + 1949 19 com.apple.CoreFoundation 0x00007fff8e461ed8 CFRunLoopRunSpecific + 296 20 com.apple.HIToolbox 0x00007fff95160935 RunCurrentEventLoopInMode + 235 21 com.apple.HIToolbox 0x00007fff9516076f ReceiveNextEventCommon + 432 22 com.apple.HIToolbox 0x00007fff951605af _BlockUntilNextEventMatchingListInModeWithFilter + 71 23 com.apple.AppKit 0x00007fff9971aefa _DPSNextEvent + 1067 24 com.apple.AppKit 0x00007fff9971a32a -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 25 com.apple.AppKit 0x00007fff9970ee84 -[NSApplication run] + 682 26 com.apple.AppKit 0x00007fff996d846c NSApplicationMain + 1176 27 libdyld.dylib 0x00007fff911725ad start + 1 log name is: ./crashlogs/_Users_t_Downloads_dae-report_type_confusion_dae.crashlog.txt --- exception=EXC_BAD_ACCESS:signal=11:is_exploitable= no:instruction_disassembly=movq CONSTANT(%r12),%r13:instruction_address=0x000000010be9dc5f:access_type=read:access_address=0x0000000000000000: The exception code indicates that the access address was invalid in the 64-bit ABI (it was > 0x0000800000000000). Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. + EXIT_VALUE=11 + exit 11 ``` ### TIMELINE * 2016-05-16 - Vendor Disclosure * 2016-07-18 - Patch released |
id | SSV:96726 |
last seen | 2017-11-19 |
modified | 2017-10-17 |
published | 2017-10-17 |
reporter | Root |
title | Apple OS X Scene Kit DAE XML Code Execution Vulnerability(CVE-2016-1850) |
Talos
id | TALOS-2016-0183 |
last seen | 2019-05-29 |
published | 2016-07-18 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0183 |
title | Apple OS X Scene Kit DAE XML Code Execution Vulnerability |
References
- http://lists.apple.com/archives/security-announce/2016/May/msg00004.html
- http://lists.apple.com/archives/security-announce/2016/May/msg00004.html
- http://www.securityfocus.com/bid/90696
- http://www.securityfocus.com/bid/90696
- http://www.securitytracker.com/id/1035895
- http://www.securitytracker.com/id/1035895
- https://support.apple.com/HT206567
- https://support.apple.com/HT206567