Vulnerabilities > CVE-2016-4629 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
apple
CWE-119
critical
nessus

Summary

ImageIO in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted xStride and yStride values in an EXR image.

Vulnerable Configurations

Part Description Count
OS
Apple
98

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11_6.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.6. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - Audio - bsdiff - CFNetwork - CoreGraphics - FaceTime - Graphics Drivers - ImageIO - Intel Graphics Driver - IOHIDFamily - IOKit - IOSurface - Kernel - libc++abi - libexpat - LibreSSL - libxml2 - libxslt - Login Window - OpenSSL - QuickTime - Safari Login AutoFill - Sandbox Profiles Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id92496
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92496
    titleMac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92496);
      script_version("1.13");
      script_cvs_date("Date: 2019/11/19");
    
      script_cve_id(
        "CVE-2013-7456",
        "CVE-2014-9862",
        "CVE-2016-0718",
        "CVE-2016-1684",
        "CVE-2016-1836",
        "CVE-2016-1863",
        "CVE-2016-1864",
        "CVE-2016-1865",
        "CVE-2016-2105",
        "CVE-2016-2106",
        "CVE-2016-2107",
        "CVE-2016-2108",
        "CVE-2016-2109",
        "CVE-2016-2176",
        "CVE-2016-4447",
        "CVE-2016-4448",
        "CVE-2016-4449",
        "CVE-2016-4483",
        "CVE-2016-4582",
        "CVE-2016-4594",
        "CVE-2016-4595",
        "CVE-2016-4596",
        "CVE-2016-4597",
        "CVE-2016-4598",
        "CVE-2016-4599",
        "CVE-2016-4600",
        "CVE-2016-4601",
        "CVE-2016-4602",
        "CVE-2016-4607",
        "CVE-2016-4608",
        "CVE-2016-4609",
        "CVE-2016-4610",
        "CVE-2016-4612",
        "CVE-2016-4614",
        "CVE-2016-4615",
        "CVE-2016-4616",
        "CVE-2016-4619",
        "CVE-2016-4621",
        "CVE-2016-4625",
        "CVE-2016-4626",
        "CVE-2016-4629",
        "CVE-2016-4630",
        "CVE-2016-4631",
        "CVE-2016-4632",
        "CVE-2016-4633",
        "CVE-2016-4634",
        "CVE-2016-4635",
        "CVE-2016-4637",
        "CVE-2016-4638",
        "CVE-2016-4639",
        "CVE-2016-4640",
        "CVE-2016-4641",
        "CVE-2016-4645",
        "CVE-2016-4646",
        "CVE-2016-4647",
        "CVE-2016-4648",
        "CVE-2016-4649",
        "CVE-2016-4650",
        "CVE-2016-4652",
        "CVE-2016-5093",
        "CVE-2016-5094",
        "CVE-2016-5096"
      );
      script_bugtraq_id(
        90856,
        90857,
        90859,
        90861,
        90864,
        90865,
        90876,
        90946,
        91824,
        91826,
        91828,
        91829,
        91834,
        92034
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2016-07-18-1");
    
      script_name(english:"Mac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Mac OS X.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X security update that fixes
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X that is 10.11.x prior
    to 10.11.6. It is, therefore, affected by multiple vulnerabilities in
    the following components :
    
      - apache_mod_php
      - Audio
      - bsdiff
      - CFNetwork
      - CoreGraphics
      - FaceTime
      - Graphics Drivers
      - ImageIO
      - Intel Graphics Driver
      - IOHIDFamily
      - IOKit
      - IOSurface
      - Kernel
      - libc++abi
      - libexpat
      - LibreSSL
      - libxml2
      - libxslt
      - Login Window
      - OpenSSL
      - QuickTime
      - Safari Login AutoFill
      - Sandbox Profiles
    
    Note that successful exploitation of the most serious issues can
    result in arbitrary code execution.");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/en-us/HT206903");
      # http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5da74f53");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mac OS X 10.11.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4629");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/21");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
      script_require_ports("Host/MacOSX/Version", "Host/OS");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    
    match = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]{1,2})+)", string:os);
    if (isnull(match)) exit(1, "Failed to parse the Mac OS X version ('" + os + "').");
    
    version = match[1];
    if (!ereg(pattern:"^10\.11([^0-9]|$)", string:version)) audit(AUDIT_OS_NOT, "Mac OS X 10.11", "Mac OS X "+version);
    
    fixed_version = "10.11.6";
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
          report = '\n  Installed version : ' + version +
                   '\n  Fixed version     : ' + fixed_version +
                   '\n';
          security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
    }
    else exit(0, "The host is not affected as it is running Mac OS X "+version+".");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2016-004.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.9.5 or 10.10.5 and is missing Security Update 2016-004. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php (affects 10.10.5 only) - CoreGraphics - ImageIO - libxml2 - libxslt Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id92497
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92497
    titleMac OS X 10.9.5 and 10.10.5 Multiple Vulnerabilities (Security Update 2016-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92497);
      script_version("1.9");
      script_cvs_date("Date: 2018/07/14  1:59:36");
    
      script_cve_id(
        "CVE-2013-7456",
        "CVE-2016-1684",
        "CVE-2016-1836",
        "CVE-2016-4447",
        "CVE-2016-4448",
        "CVE-2016-4449",
        "CVE-2016-4483",
        "CVE-2016-4607",
        "CVE-2016-4608",
        "CVE-2016-4609",
        "CVE-2016-4610",
        "CVE-2016-4612",
        "CVE-2016-4614",
        "CVE-2016-4615",
        "CVE-2016-4616",
        "CVE-2016-4619",
        "CVE-2016-4629",
        "CVE-2016-4630",
        "CVE-2016-4637",
        "CVE-2016-4650",
        "CVE-2016-5093",
        "CVE-2016-5094",
        "CVE-2016-5096"
      );
      script_bugtraq_id(
        90856,
        90857,
        90859,
        90861,
        90864,
        90865,
        90876,
        90946,
        91824,
        91826,
        91834,
        92034
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2016-05-16-4");
    
      script_name(english:"Mac OS X 10.9.5 and 10.10.5 Multiple Vulnerabilities (Security Update 2016-004)");
      script_summary(english:"Checks for the presence of Security Update 2016-004.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X that is 10.9.5 or
    10.10.5 and is missing Security Update 2016-004. It is, therefore,
    affected by multiple vulnerabilities in the following components :
    
      - apache_mod_php (affects 10.10.5 only)
      - CoreGraphics
      - ImageIO
      - libxml2
      - libxslt
    
    Note that successful exploitation of the most serious issues can
    result in arbitrary code execution.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT206903");
      # http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5da74f53");
     script_set_attribute(attribute:"solution", value:
    "Install Security Update 2016-004 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    patch = "2016-004";
    
    # Compare 2 patch numbers to determine if patch requirements are satisfied.
    # Return true if this patch or a later patch is applied
    # Return false otherwise
    function check_patch(year, number)
    {
      local_var p_split = split(patch, sep:"-");
      local_var p_year  = int( p_split[0]);
      local_var p_num   = int( p_split[1]);
    
      if (year >  p_year) return TRUE;
      else if (year <  p_year) return FALSE;
      else if (number >=  p_num) return TRUE;
      else return FALSE;
    }
    
    if (!get_kb_item("Host/local_checks_enabled"))
      audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
      audit(AUDIT_OS_NOT, "Mac OS X");
    
    if (!ereg(pattern:"Mac OS X 10\.(10|9)\.5([^0-9]|$)", string:os))
      audit(AUDIT_OS_NOT, "Mac OS X 10.9.5 or 10.10.5");
    
    packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1);
    sec_boms_report = egrep(pattern:"^com\.apple\.pkg\.update\.security\..*bom$", string:packages);
    sec_boms = split(sec_boms_report, sep:'\n');
    
    foreach package (sec_boms)
    {
      # Grab patch year and number
      match = eregmatch(pattern:"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]", string:package);
      if (empty_or_null(match[1]) || empty_or_null(match[2]))
        continue;
    
      patch_found = check_patch(year:int(match[1]), number:int(match[2]));
      if (patch_found) exit(0, "The host has Security Update " + patch + " or later installed and is therefore not affected.");
    }
    
    report =  '\n  Missing security update : ' + patch;
    report += '\n  Installed security BOMs : ';
    if (sec_boms_report) report += str_replace(find:'\n', replace:'\n                            ', string:sec_boms_report);
    else report += 'n/a';
    report += '\n';
    
    security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
    

Seebug

bulletinFamilyexploit
description### SUMMARY An exploitable heap based buffer overflow exists in the handling of EXR images on OS X. A crafted EXR document can lead to a heap based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved EXR file delivered by other means when opened in any application using the Apple Image I/O API. ### TESTED VERSIONS OSX El Capitan - 10.11.4 ### PRODUCT URLs https://developer.apple.com/osx/download ### CVSSv3 SCORE 6.4 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L ### DETAILS This vulnerability is present in the Apple Image I/O API which is used for all image handling on OS X including rendering images in Preview. There exists a vulnerability in the parsing and handling of EXR images. A specially crafted EXR image file can lead to an out of bounds write and ultimately to remote code execution. OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications and is used in all motion pictures currently in production. EXR uses 16-bit floating-point color component values. Since the IEEE-754 floating-point specification does not define a 16-bit format, EXR created the "half" format. Half values have 1 sign bit, 5 exponent bits, and 10 mantissa bits. This information is then read in as rows of x and y coordinates to draw the image. The vulnerability arises when the values read in are not properly sanitized. The relevant code for the reading of the image is shown below. ``` for (int y = yStart; y <= maxYThisRow; y += toSlice.ySampling) { // Set the pointers to the start of the y scanline in // this row of tiles fromPtr = fromSlice.base + (y - tileRange.min.y) * fromSlice.yStride + xStart * fromSlice.xStride; toPtr = toSlice.base + divp (y, toSlice.ySampling) * toSlice.yStride + divp (xStart, toSlice.xSampling) * toSlice.xStride; [1] // Copy all pixels for the scanline in this row of tiles for (int x = xStart; x <= levelRange.max.x; x += toSlice.xSampling) { for (int i = 0; i < size; ++i) toPtr[i] = fromPtr[i]; fromPtr += fromSlice.xStride * toSlice.xSampling; toPtr += toSlice.xStride; } } ``` The problem here arises when toPtr is calculated, [1], and the values of xStride and yStride are user controlled. If these variables are signed it causes the resulting calculation to be sign extended and points the destination buffer out of bounds. Shown below is where the toPtr is calculated and the corresponding values. ``` RAX: 0xFFFFFFFFDEDEDE00 RBX: 0x00000000DEDEDE00 RBP: 0x00007FFF5FBFA200 RSP: 0x00007FFF5FBFA120 o d I t S z a p c RDI: 0x00000000DEDEDEDE RSI: 0x0000000000000002 RDX: 0x0000000196C68D20 RCX: 0xFFFFFE3242423620 RIP: 0x0000000168475097 R8: 0x0000000196C68D20 R9: 0x0000000000000002 R10: 0x00000000DEDEDEDE R11: 0x00000000DEDEDE00 R12: 0x0000000100000001 R13: 0x0000000000000002 R14: 0x0000000000000010 R15: 0x00000000DEDEDEDE libOpenEXR.dylib`Imf_2_2::InputFile::readPixels: -> 0x168475097 <+1041>: imul rax, r14 0x16847509b <+1045>: add rax, rcx 0x16847509e <+1048>: add rax, qword ptr [rbp - 0x78] [1] 0x1684750a2 <+1052>: mov edi, dword ptr [rbp - 0x4c] 0x1684750a5 <+1055>: mov ecx, 0x0 0x1684750aa <+1060>: test r9d, r9d 0x1684750ad <+1063>: jle 0x1684750c1 ; <+1083> 0x1684750af <+1065>: mov bl, byte ptr [rdx + rcx] ``` Notice RAX is sign extended and contains a very large negative value. When the base of the buffer is added to it, [1], it is pointing well out of bounds, causing an out of bounds write. With proper calculation and set up this vulnerability could potentially be leveraged into a remote code execution vulnerability and give an attacker full control. The resulting crash is shown below. ``` RAX: 0xFFFFFE3196C5C21C RBX: 0x00000000DEDEDEAA RBP: 0x00007FFF5FBFA200 RSP: 0x00007FFF5FBFA120 o d I t s z a p c RDI: 0x00000000DEDEDE00 RSI: 0x0000000000000002 RDX: 0x0000000196C68D20 RCX: 0x0000000000000000 RIP: 0x00000001684750B2 R8: 0x0000000196C68D20 R9: 0x0000000000000002 R10: 0x00000000DEDEDEDE R11: 0x00000000DEDEDE00 R12: 0x0000000100000001 R13: 0x0000000000000002 R14: 0x0000000000000010 R15: 0x00000000DEDEDEDE libOpenEXR.dylib`Imf_2_2::InputFile::readPixels: -> 0x1684750b2 <+1068>: mov byte ptr [rax + rcx], bl 0x1684750b5 <+1071>: add rcx, 0x1 0x1684750b9 <+1075>: cmp esi, ecx 0x1684750bb <+1077>: jne 0x1684750af ; <+1065> 0x1684750bd <+1079>: mov r15d, dword ptr [rbp - 0x30] 0x1684750c1 <+1083>: add rdx, r13 0x1684750c4 <+1086>: add rax, r14 0x1684750c7 <+1089>: add edi, r12d ``` ### CRASH INFORMATION ``` Crashed thread log = : Dispatch queue: com.apple.main-thread 0 libOpenEXR.dylib 0x00000001068b20b2 Imf_2_2::InputFile::readPixels(int, int) + 1068 1 libOpenEXR.dylib 0x000000010693c7d6 exrReadRGBFloat(char const*, int*, int*, unsigned int*, void*) + 621 2 com.apple.ImageIO.framework 0x00007fff8d3460cf copyImageBlockSetOpenEXR + 856 3 com.apple.ImageIO.framework 0x00007fff8d2f40f4 ImageProviderCopyImageBlockSetCallback + 651 4 com.apple.CoreGraphics 0x00007fff93f15cb4 CGImageProviderCopyImageBlockSetWithOptions + 132 5 com.apple.CoreGraphics 0x00007fff93f1739c CGImageProviderCopyImageBlockSet + 205 6 com.apple.CoreGraphics 0x00007fff93f4e7fd img_blocks_create + 517 7 com.apple.CoreGraphics 0x00007fff93f19c9f img_data_lock + 1788 8 com.apple.CoreGraphics 0x00007fff93f186c7 CGSImageDataLock + 151 9 libRIP.A.dylib 0x00007fff933ee1d4 ripc_AcquireImage + 972 10 libRIP.A.dylib 0x00007fff933ecc7e ripc_DrawImage + 1011 11 com.apple.CoreGraphics 0x00007fff93f17c48 CGContextDrawImageWithOptions + 571 12 com.apple.CoreGraphics 0x00007fff93f179f1 CGContextDrawImage + 51 13 com.apple.ImageIO.framework 0x00007fff8d31579e CGImageCreateCopyWithParametersNew + 2575 14 com.apple.ImageIO.framework 0x00007fff8d314b95 CGImageSourceCreateThumbnailAtIndex + 3821 15 com.apple.imageKit 0x00007fff8b1ce044 -[IKImageContentView _newCGImageFromImgSrc:index:displayProperties:imageScale:createBitmapImmediately:] + 747 16 com.apple.imageKit 0x00007fff8b1ce49c __69-[IKImageContentView setImageURL:imageAtIndex:withDisplayProperties:]_block_invoke + 57 17 com.apple.imageKit 0x00007fff8b1ce38b -[IKImageContentView setImageURL:imageAtIndex:withDisplayProperties:] + 799 18 com.apple.Preview 0x0000000101626162 0x10160b000 + 110946 19 com.apple.Preview 0x000000010161fe5d 0x10160b000 + 85597 20 com.apple.Preview 0x0000000101616b47 0x10160b000 + 47943 21 com.apple.AppKit 0x00007fff9978ea2b -[NSWindowController _windowDidLoad] + 592 22 com.apple.AppKit 0x00007fff9972b542 -[NSWindowController window] + 110 23 com.apple.Preview 0x0000000101614d9a 0x10160b000 + 40346 24 com.apple.AppKit 0x00007fff9991b03d -[NSWindowController showWindow:] + 36 25 com.apple.Preview 0x000000010161619e 0x10160b000 + 45470 26 com.apple.Foundation 0x00007fff97316f4e -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 1115 27 com.apple.Foundation 0x00007fff97316a75 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 131 28 com.apple.Preview 0x00000001016160df 0x10160b000 + 45279 29 com.apple.Preview 0x0000000101614f13 0x10160b000 + 40723 30 com.apple.Preview 0x00000001016ffdfe 0x10160b000 + 1003006 31 libdispatch.dylib 0x00007fff9c53693d _dispatch_call_block_and_release + 12 32 libdispatch.dylib 0x00007fff9c52b40b _dispatch_client_callout + 8 33 libdispatch.dylib 0x00007fff9c53ec1c _dispatch_main_queue_callback_4CF + 1685 34 com.apple.CoreFoundation 0x00007fff8e4a39e9 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9 35 com.apple.CoreFoundation 0x00007fff8e4628dd __CFRunLoopRun + 1949 36 com.apple.CoreFoundation 0x00007fff8e461ed8 CFRunLoopRunSpecific + 296 37 com.apple.HIToolbox 0x00007fff95160935 RunCurrentEventLoopInMode + 235 38 com.apple.HIToolbox 0x00007fff9516076f ReceiveNextEventCommon + 432 39 com.apple.HIToolbox 0x00007fff951605af _BlockUntilNextEventMatchingListInModeWithFilter + 71 40 com.apple.AppKit 0x00007fff9971aefa _DPSNextEvent + 1067 41 com.apple.AppKit 0x00007fff9971a32a -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 42 com.apple.AppKit 0x00007fff9970ee84 -[NSApplication run] + 682 43 com.apple.AppKit 0x00007fff996d846c NSApplicationMain + 1176 44 libdyld.dylib 0x00007fff911725ad start + 1 --- exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %bl,(%rax,%rcx):instruction_address=0x00000001068b20b2:access_type=write:access_address=0x00007e214703dc0c: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. bootstrap_look_up: (os/kern) unknown error code (44e) + EXIT_VALUE=255 + exit 255 ``` ### TIMELINE * 2016-05-16 - Vendor Disclosure * 2016-07-18 - Public Release
idSSV:96730
last seen2017-11-19
modified2017-10-17
published2017-10-17
reporterRoot
titleApple Image I/O EXR Color Component Remote Code Execution Vulnerability(CVE-2016-4629)

Talos

idTALOS-2016-0180
last seen2019-05-29
published2016-07-18
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0180
titleApple Image I/O EXR Color Component Remote Code Execution Vulnerability