CVE-2015-3783 : Détail

CVE-2015-3783

Overflow
81.48%V3
Network
2015-08-16
21h00 +00:00
2017-09-20
07h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

SceneKit in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 38264

Date de publication : 2015-09-21 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=467 There is a heap overflow in daeElement::setElementName(). The vulnerable method uses a fixed size (128 bytes) heap-allocated buffer to copy the name of an arbitrary element. By setting the name of the element to something larger the buffer is overflown. The vulnerable code does something like this: if (element_name) { if (!this->name) { this->name = new char[128]; } strcpy(this->name, element_name); } The element_name is supplied by the user and can be more than 128 characters long. Steps to reproduce (Note: you need to enable libgmalloc): a) $ lldb b) (lldb) target create /usr/bin/qlmanage Current executable set to '/usr/bin/qlmanage' (x86_64). c) (lldb) env DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib d) (lldb) process launch -- -p setElementNameOOB.dae Process 4460 stopped * thread #3: tid = 0x5fdc, 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104, queue = 'com.apple.root.default-qos', stop reason = EXC_BAD_ACCESS (code=1, address=0x123445409000) frame #0: 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104 libsystem_c.dylib`strcpy: -> 0x7fff92fbf108 <+104>: movdqu xmmword ptr [rdi + rcx + 0x10], xmm1 0x7fff92fbf10e <+110>: add rcx, 0x10 0x7fff92fbf112 <+114>: movdqa xmm1, xmmword ptr [rsi + rcx + 0x10] 0x7fff92fbf118 <+120>: pxor xmm0, xmm0 e) (lldb) bt * thread #3: tid = 0x5fdc, 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104, queue = 'com.apple.root.default-qos', stop reason = EXC_BAD_ACCESS (code=1, address=0x123445409000) * frame #0: 0x00007fff92fbf108 libsystem_c.dylib`strcpy + 104 frame #1: 0x0000000137c4eb4f SceneKit`daeMetaElement::create(char const*) + 199 frame #2: 0x0000000137c4bf80 SceneKit`daeIOPluginCommon::beginReadElement(daeElement*, char const*, std::__1::vector<std::__1::pair<char const*, char const*>, std::__1::allocator<std::__1::pair<char const*, char const*> > > const&, int) + 80 frame #3: 0x0000000137c5aaf3 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 369 frame #4: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719 frame #5: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719 frame #6: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719 frame #7: 0x0000000137c5ac51 SceneKit`daeLIBXMLPlugin::readElement(_xmlTextReader*, daeElement*, int&) + 719 frame #8: 0x0000000137c5a8cf SceneKit`daeLIBXMLPlugin::read(_xmlTextReader*) + 109 frame #9: 0x0000000137c5a914 SceneKit`daeLIBXMLPlugin::readFromMemory(char const*, daeURI const&) + 54 frame #10: 0x0000000137c4bd1d SceneKit`daeIOPluginCommon::read(daeURI const&, char const*) + 167 frame #11: 0x0000000137c3eb77 SceneKit`DAE::openCommon(daeURI const&, char const*) + 55 This bug has been tested on: $ sw_vers ProductName: Mac OS X ProductVersion: 10.10.3 BuildVersion: 14D136 $ qlmanage --version QuickLook framework: v5.0 (675.42) Attached are two files: 1) setElementNameOOB.dae - the POC dae file. 2) setElementNameOOB_dae.crashlog.txt - the CrashWrangler log. Attack vector: This bug can be triggered by any application that uses the QuickLook framework to generate a preview/thumbnail of DAE (COLLADA) files. For example, loading the supplied POC in Preview or selecting the file in Finder and hitting <space> will trigger the bug. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38264.zip

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version To (including) 10.10.4

Références

https://www.exploit-db.com/exploits/38264/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/76340
Tags : vdb-entry, x_refsource_BID
https://support.apple.com/kb/HT205031
Tags : x_refsource_CONFIRM
http://www.securitytracker.com/id/1033276
Tags : vdb-entry, x_refsource_SECTRACK