The vendor (Apple) provides the following description of Bonjour and iChat:
Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. Bonjour uses industry standard IP protocols to allow devices to automatically discover each other without the need to enter IP addresses or configure DNS servers.
Bonjour functionality is
affected by several denial of service flaws. The most simple of them is the lack of throttling for
discovery of available contacts (via mDNS queries).
iChat will add any advertised
_presence._tcp records, without even verifying if some of them already
exist (ex. match first or last name, AIM handle, etc). A malicious user could advertise fake records
and successfully block iChat users using Bonjour from discovering further peers in the network and
having reliable communications.
The other issue can be used remotely to directly cause an exception in the iChat Agent when parsing a crafted
TXT key hash. This will instantly cause a
to be sent to the process, causing a so-called 'crash'. Further attempts to launch iChat Bonjour
functionality again will fail as
mDNSResponder keeps the crafted record (and restarting it will be
necessary). These particular issues can't be abused for arbitrary code execution.
Note: this should be considered an issue in
mDNSResponder as well; iChat isn't involved in the processing of
any mDNS service advertisements (although it should definitely throttle presence queries).
mDNSResponder stops responding shortly after abuse.
Verified with iChat 3.1.6 (v441), InstantMessage framework v428 on Mac OS X 10.4.8 (8L2127), x86.
Proof of concept, exploit or instructions to reproduce
The exploit provided contains two different methods to conduct a denial
of service attack against iChat Bonjour. The first one takes advantage of the lack of
throttling for 'presence discovery', and the second method simply broadcasts a crafted
TXT keys hash for triggering a
NULL pointer dereference.
All hosts reachable via Bonjour and running iChat will be knocked out.
$ ruby bug-files/MOAB-29-01-2007.rb ++ MOAB-29-01-2007: iChat Bonjour Fun ++ Selected target: 0 $ ruby bug-files/MOAB-29-01-2007.rb 1 ++ MOAB-29-01-2007: iChat Bonjour Fun ++ Selected target: 1 ++ Registering presence 0 (...) ++ Registering presence 411 ^C++ Exiting...
Note: please don't prank random zealots with it. We would be instantly blamed as the source
of the joke, we would see photoshopped and funny Safari screenshots and alleged
Last but not least, don't use Chinese SOCKS proxies please, zealots think Shangai is in the US
and will blame KF too.
The following debugging information shows iChat Agent during both attacks supported by the provided exploit:
-- via fake record presence advertising denial of service $ top (...) 2751 iChatAgent 0.0% 0:03.65 3 69 82 3.17M 5.56M 6.18M 298M Attaching to program: `.../iChatAgent.app/Contents/MacOS/iChatAgent', process 2733. Reading symbols for shared libraries ................................... done 0x90009857 in mach_msg_trap () (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: .../iChatAgent.app/Contents/MacOS/iChatAgent ^C Program received signal SIGINT, Interrupt. 0x9001db47 in recvfrom () (gdb) x/i $ebx 0x9007b5b6
: mov 20(%ebp),%esi (gdb) x/s 0x1100989 0x1100989: "Larry Seltzer Snorts Coke" (gdb) x/s 0x1100989+640 0x1100c09: "Larry Seltzer Snorts Coke" MALLOC_TINY 00500000-00600000 [ 1024K] rw-/rwx SM=COW DefaultMallocZone_0x500000 MALLOC_TINY 01100000-011cf000 [ 828K] rw-/rwx SM=COW DefaultMallocZone_0x500000 MALLOC 01800000-02008000 [ 8224K] rw-/rwx SM=COW DefaultMallocZone_0x500000 (gdb) back #0 0x9001db47 in recvfrom () #1 0x90032846 in recv () #2 0x9006e11e in deliver_request () #3 0x9007b690 in DNSServiceQueryRecord () #4 0x9101cadc in CFNetServiceMonitorStart () #5 0x9268eb72 in -[NSNetService startMonitoring] () #6 0x0004eb39 in ?? () #7 0x925e9059 in -[NSArray makeObjectsPerformSelector:withObject:] () #8 0x0004e9bf in ?? () #9 0x9268e49c in _netServiceBrowserDispatchCallBack () #10 0x9101c195 in _BrowseReply () #11 0x9007affe in handle_browse_response () #12 0x9007ae96 in DNSServiceProcessResult () #13 0x910164fa in _SocketCallBack () #14 0x9083ffef in __CFSocketDoCallback () #15 0x9083fd64 in __CFSocketPerformV0 () #16 0x90829fd2 in CFRunLoopRunSpecific () #17 0x90829b0e in CFRunLoopRunInMode () #18 0x92622dc6 in -[NSRunLoop runMode:beforeDate:] () #19 0x92622cc2 in -[NSRunLoop run] () #20 0x00002808 in ?? () #21 0x000026c2 in ?? () #22 0x0006535d in ?? () -- via crafted TXT record Starting program: .../iChatAgent.app/Contents/MacOS/iChatAgent 2007-01-30 05:09:26.483 iChatAgent *** Uncaught exception: *** -[NSCFDictionary setObject:forKey:]: attempt to insert nil value Program received signal SIGTRAP, Trace/breakpoint trap. 0x9262050b in _NSRaiseError () (gdb) back #0 0x9262050b in _NSRaiseError () #1 0x926472cb in +[NSException raise:format:] () #2 0x92692131 in _NSDictionaryRaiseInsertNilValueException () #3 0x925d55bf in -[NSCFDictionary setObject:forKey:] () #4 0x0004ecde in ?? () #5 0x0004eb83 in ?? () #6 0x9101cfb4 in _QueryRecordReply () #7 0x9007b84c in handle_query_response () #8 0x9007ae96 in DNSServiceProcessResult () #9 0x91039b55 in _SocketCallBack () #10 0x9083ffef in __CFSocketDoCallback () #11 0x9083fd64 in __CFSocketPerformV0 () #12 0x90829fd2 in CFRunLoopRunSpecific () #13 0x90829b0e in CFRunLoopRunInMode () #14 0x92622dc6 in -[NSRunLoop runMode:beforeDate:] () #15 0x92622cc2 in -[NSRunLoop run] () #16 0x00002808 in ?? () #17 0x000026c2 in ?? () #18 0x0006535d in ?? ()
Given that the exploitation vector is Bonjour (and taking into account that it's a broadcasting
service), these issues can be abused remotely affecting numerous users given that they can be reached
via service advertisements. Pretty much like with wireless device driver exploits, the term 'massive pwnage'
can be used in all it's glory.
Bonjour weaknesses and further details will be published soon in a separate document.
Workaround or temporary solution
For instance, either don't use iChat with Bonjour or disable mDNSResponder all the way. You don't want to be (another) nevaR reldA, seriously.
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist $ sudo mv /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist \ /Users/Shared/com.apple.mDNSResponder.plist.BACKUP