Prepared DMG images crash Apple's Finder
Prepared DMG images can be used to crash the Finder under Mac OS X 10.4.8. A demo exploit is available from LMH, one of the brains behind the Month of Apple Bugs. The cause of the bug is probably an overflow, which can be triggered by volume name longer than 255 bytes in the DMG image. According to LMH, it should also be possible to inject and execute code as a result of this flaw, however he has not yet been able to control the requisite SIZE parameter.
Apple has not yet released a patch, likewise the MOAB fixes group have not yet produced an unofficial update. A malicious DMG image could, for example, be made available as a download from a website. The default Safari configuration will open downloaded image files using Finder automatically.
A similar bug when mounting DMG images was published by MOAB initiator LMH as part of the Month of Kernel Bugs. The published exploit did not, however, cause the Finder to crash, rather it caused the complete system to hang or crash. LMH claimed on that occasion too that the bug could be exploited to execute injected code. A closer examination of the problem by other security specialists apparently revealed, however, that it was not possible to exploit the bug to overwrite areas of memory and that it was therefore not possible to inject and execute code - the most that could happen was that a kernel panic could be provoked.
Whether this is the reason that Apple have still not released a patch for this vulnerability, despite the fact that it has been in the public domain for about seven weeks, is not clear. Further analysis will need to show whether LMH has once more overestimated the significance of the new vulnerability. As a workaround users should deactivate the "Open safe files" option under "General" in Safari and should not load DMG images from untrusted sources.
- Apple Finder DMG Volume Name Memory Corruption, bug report from MOAB
- Prepared DMG images bring Mac OS X to a halt, report on heise Security