Apple Peeler


Transmit 3 takes Mac OS X FTP to the next level by making file management easy. You can copy files to or from a server with drag and drop simplicity, or edit HTML code directly on a web server. You can even Preview graphic files on the fly with Transmit.

Transmit can speak to most any server that understands FTP, SFTP, FTP TLS/SSL, WebDAV, or secure WebDAV. It works great with everything from Mac OS X's built-in FTP server to your iDisk. When dealing with the SFTP protocol, Transmit unfortunately does not allocate enough space when dealing with the string passed on via the URL handler, leading to an exploitable heap-based buffer overflow condition.

Affected versions versions up to 3.5.5 are affected.

Proof of concept, exploit or instructions to reproduce

The proof of concept uses Javascript to trigger the issue by launching Transmit via an iframe element with a src attribute containing the non-malicious payload.

Debugging information

The following debugging information shows Transmit triggering the issue via the provided Javascript-based proof of concept:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x44434279
[Switching to process 4189 thread 0x8607]
0x900257e2 in flockfile ()
(gdb) i r
eax            0x1938600        26445312
ecx            0x44434241       1145258561
edx            0xb0230768       -1339881624
ebx            0x900107db       -1878980645
esp            0xb02305e0       0xb02305e0
ebp            0xb02305f8       0xb02305f8
esi            0x1938600        26445312
edi            0x44434241       1145258561
eip            0x900257e2       0x900257e2 <flockfile+18>
eflags         0x10282  66178
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
(gdb) back
#0  0x900257e2 in flockfile ()
#1  0x900107f2 in vfprintf ()
#2  0x00190cf3 in PrintF ()
#3  0x00187bc5 in FTPInitialLogEntry ()
#4  0x00187d10 in FTPOpenHost ()
#5  0x00150626 in -[FTPConnectionWorker _connectTo:port:user:password:
                   initialPath:localPath:redial:listFiles:encoding:] ()
#6  0x90a58c56 in objc_msgSendv ()
#7  0x925f443e in -[NSInvocation invoke] ()
#8  0x9261a433 in -[NSInvocation invokeWithTarget:] ()
#9  0x001611d3 in -[AbstractConnectionWorker workerThreadWithPorts:] ()
#10 0x925ed36c in forkThreadForFunction ()
#11 0x90023d87 in _pthread_body ()

(gdb) x/10 $ebp
0xb02305f8:     0xb0230628      0x900107f2      0x44434241      0x624f746e
0xb0230608:     0x7463656a      0x80040000      0x01148589      0x03010101
0xb0230618:     0x5f0c0101      0x00187b6e
(gdb) x/10 $esp
0xb02305e0:     0x20000000      0x4202a05f      0x00000000      0x00000000
0xb02305f0:     0x0193744b      0x44434241      0xb0230628      0x900107f2
0xb0230600:     0x44434241      0x624f746e


Exploitation conditions

Given that the buffer overflow is heap-based, stack NX is useless to prevent exploitation for code execution. For heap exploitation techniques, please read the excellent Phrack article by nemo: OS X heap exploitation techniques. This issue can be abused via different vectors, such as Javascript, Flash movies, etc.

Workaround or temporary solution

Disable the ftps:// URL handler via RCDefaultApp.