‘Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch Vulnerability’

Summary

The Apple Type Services is prone to memory corruption due a sign mismatch vulnerability when handling the last offset value of the CharStrings INDEX structure.’

Credit:

‘The information has been provided by Anibal Sacco and Matias Eissler.
The original article can be found at: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch


Details

Vulnerable Systems:
 * Apple Mac OSX v10.5.x

Immune Systems:
 * Apple Mac OSX v10.6

This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing a embedded malicious CFF font (Compact Font Format.)

This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).

When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure.

This could be triggered in different ways:

– When trying to make a thumbnail of the file
– When trying to open the file with the Preview app
– Serving the file in a web server and tricking the user to click on it.
– Embedded in an email (if handled by Mail.app)

This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution.

Patch Availability:
For further information about this issue look at the Apple security updates pages:
Apple security updates
http://support.apple.com/kb/HT1222
Apple security updates are available via the Software Update mechanism:
http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download via:
http://www.apple.com/support/downloads/

CVE Information:
CVE-2010-4010

Disclosure Timeline:
2010-08-26: Vendor contacted
2010-11-01: Apple acknowledges
2010-11-08: Core publishes advisory CORE-2010-0825.’

Categories: UNIX