Tuesday, June 19, 2012

iOS and improper aif parsing

Improper handling of aif(c) files leads to a memory access violation in the mediaserverd daemon. The bug occurred due to improper parsing of the FLLR chunks in aifc files. FLLR chunks are typically used to align other chunks to 4 byte boundaries(to improve parsing efficiency). If a padding of length 5 is required, FLLR followed by a null byte(0x00) is used for alignment. However, modifying the 0x00 byte causes this crash upon parsing. Upon inspection, exploitability was unconfirmed. Most of the tests were performed on an iPod with iOS 4.2.3 and an iPhone with 5.0.1.

12th MayReported to the Apple Security Team, with PoC. Exploitability unconfirmed.
15th MayACK from Apple Security Team.
17th MayRequest for update.
19th MayUpdate from Apple, confirming crash on 5.1.1 also.
19th JuneUpdate from Apple, reclassifying the issue as non-security(out-of-bound-read), with low exploitability likelihood.

No comments:

Post a Comment