Heap-based buffer overflow in the GSM mobility management implementation in Telephony in Apple iOS before 4.2 on the iPhone and iPad allows remote attackers to execute arbitrary code on the baseband processor via a crafted Temporary Mobile Subscriber Identity (TMSI) field.

CVE-2010-3832

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

Well, here I am developing ACS, finding that this project resembles at some degree the creation of a browser.. but anyway, it's close to a working beta (yay!).

In any case, a couple of bugs came to my attention, some of them are public, some of them are not.

First of all, I want to describe the PHP vulnerability I made public on my presentation with David Lindsay, at Blackhat USA 2009, that apparently only Chris Weber, Giorgio Maone (creator of NoScript), Mario Heiderich (creator of PHP-IDS) and the Acunetix security team have realized the danger of it.

It has been reported, well, more than enough times to the PHP team (I made another attempt today, hoping this will get fixed in some time soon.. if at all). This issue affects all PHP versions Mario Heiderich and me could test, and endangers practically all PHP programs that use the utf8\_decode() function for decoding (as recommended by OWASP guidelines).

> The disclosure timeline follows:  
> \* Reported by root@80sec.com: May 11 2009  
> \* Discovered by webmaster@lapstore.de: June 19 2009  
> \* Discovered by Giorgio Maone / Eduardo Vela: July 14 2009  
> \* Reported and Fixed on PHPIDS: July 14 2009  
> \* Microsoft notified of a XSS Filter bypass: July 14 2009  
> \* Fixed XSS Filter bypass on NoScript 1.9.6:  July 20 2009  
> \* Vulnerability disclosed on BlackHat USA 2009: July 29 2009  
> \* Added signature to Acunetix WVS: August 14 2009  
> \* Re-reported by sird@rckc.at: September 27 2009  
> \* Vendor claims it was fixed on 5.2.11: September 29 2009  
> \* Re-re-reported by sird@rckc.at after checking 5.2.11: October 16 2009  
> \* Published sirdarckcat.blogspot.com: October 16 2009  

You can check the bug here:  
http://bugs.php.net/bug.php?id=49687

In reality there are several vulns in just a couple of lines, so I'll describe them here:  
1.- **Overlong UTF-8:**

> As REQUIRED by UNICODE 3.1, and noted in the Unicode Technical Report #36, UTF-8 is forbidden to interpretate a character's non-shortest form.  

   

http://www.unicode.org/reports/tr36/#UTF-8\_Exploit

**VULN: _PHP makes no checks whatsoever on this matter._**

**Why is this a vulnerability?**

A filter (such as addslashes, htmlentities, escapeshellarg, etc.) will NOT be able to detect&escape such byte sequences, and so an application that relies on them for security checks wont be protected at all. Because it allows an attacker to encode "dangerous" chars, such as ', ", <, ;, &, \\0 in different ways:

' = %27 = %c0%a7 = %e0%80%a7 = %f0%80%80%a7  
" = %22 = %c0%a2 = %e0%80%a2 = %f0%80%80%a2  
< = %3c = %c0%bc = %e0%80%bc = %f0%80%80%bc  
; = %3b = %c0%bb = %e0%80%bb = %f0%80%80%bb  
& = %26 = %c0%a6 = %e0%80%a6 = %f0%80%80%a6  
\\0= % 00 = %c0%80 = %e0%80%80 = %f0%80%80%80

Use hackvertor to generate them.

Enabling attacks on systems that use addslashes for example (but almost all encoding functions would be vulnerable):

> // add slashes!  
> foreach($\_GET as $k=>$v)$\_GET\[$k\]=**addslashes**("$v");
> 
> //  .... some code ...
> 
> // $name is encoded in utf8  
> $name=**utf8\_decode**($\_GET\['name'\]);  
> mysql\_query("SELECT \* FROM table WHERE name='$name';");
> 
> ?>

2.- **Ill formed sequences**:  
As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.  
    http://www.unicode.org/reports/tr36/#Ill-Formed\_Subsequences

**VULN: _PHP will consume invalid bytes._**

**Why is this a vulnerability?**

It will allow an attacker to "eat" controll chars. For example:

> // htmlentities  
> foreach($\_GET as $k=>$v)$\_GET\[$k\]=**htmlentities**("$v",ENT\_QUOTES);
> 
> //  ... some code ...
> 
> $name=$\_GET\['name'\];  
> $url=$\_GET\['url'\];
> 
> //  ... some code ...
> 
> $profileImage="<img alt=\\"Photo of $name\\" src=\\"http://$url\\" />";
> 
> // ... some code ...  
> echo **utf8\_decode**($profileImage);  
> ?>

A request such as:

?name=%90&src=%20onerror=alert(1)%20

Will execute the code "alert(1)" when the page loads.

Note that htmlpurifier does a utf8\_decode function call at the end of the decoding, BUT they are safe because of a pre-encoding made by htmlpurifier.. other codes that do the same wont be so lucky.

Bogdan Calin from Acunetix WVS described a couple of other potential attack scenarios:

>   

Where an attacker could fool the filter by doing a request like:  
vuln.php?input=**%F6%3Cimg+onmouseover=prompt(/xss/)//%F6%3E**

And:

>   

  

>   

Where an attacker could fool the filter by doing a request like:  
index.php?username=**test%FC%27%27+or+1=1+–+**&password=a

3.- **Integer overflow:**  
Unsigned short has a size of 16 bits (2 bytes), that is UNCAPABLE of storing unicode characters of 21 bits, and represented on UTF with 4 bytes (1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx). PHP attempts to sum a 21 bits value to a 16 bits-size variable, and then makes no checks on the value.

The affected code follows:

> //  php/ext/xml/xml.c#558  
> PHPAPI char \*xml\_utf8\_decode(    //  ...  
> {  
>     int pos = len;  
>     char \*newbuf = emallo    //  ...  
>     unsigned short c;          // **sizeof(unsigned short)==16** bits  
>     char (\*decoder)(unsig    //  ...  
>     xml\_encoding \*enc = x    //  ...  
> //  ...  
> //  #580  
>     c = (unsigned char)(\*s);  
>     if (c >= 0xf0) {         /\* **four bytes encoded, 21** bits \*/  
>         if(pos-4 >= 0) {  
>             c = (**(s\[0\]&7)<<18) | ((s\[1\]&63)<<12)** | ((s\[2\]&63)<<6) | (s\[3\]&63);  
>         } else {  
>             c = '?';     
>         }  
>         s += 4;  
>         pos -= 4;  
> //  ...  

The relevant part of the code is of course, the declaration of c as an unsigned int, the comment specifing that the char is 21 bits, and this:

> x= ((s\[0\]&7)<<18) | ...  

s\[0\]&7<<18 means it will move 3 bits, 18 bits to the right. As we noted before.. c's size is only 16 bits.

> (xxxx xxxx & 0000 0111) << 18  

Also, this part:

> ...  ((s\[1\]&63)<<12) | ...  

s\[1\]&63<<12 means it will move 6 bits, 12 bits to the right. So, 2 bits are going to be lost.

> (xxxx xxxx & 0011 1111) << 12  

This allows us to make something even more interesting.

Code like this:

**%FF%F0%40%FC** that is invalid unicode, overlong, and all you want (definatelly NOT valid), will be casted as a "lower than" simbol (<).

http://eaea.sirdarckcat.net/xss.php?unicode&html\_xss=%FF%F0%40%FC

This besides the already mentioned problems, and the possibility of bypassing quite a lot of WAFs and Filters.. demonstrate the problem of a bad unicode implementation on PHP.

I hope the PHP development team acknowledges all this issues that have been reported before, and were explained some months ago on Blackhat USA (and the developers were noticed to check the ppt more than once), and now are explained yet another time.

**This was fixed on 5.2.11 :) on my birthday!! Sept 17**

Anyway.. that's not all, now to finish this post I want to publish a overlong utf-8 exception on Firefox (actually, Mozilla's).

**The firefox one**

Firefox is supposed to consider the non-shortest form exception (point #1 in the PHP vulnerabilities), and section 3.1 of the Unicode Technical Report #36 but apparently there's a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

Anyway, the severity of this vulnerability is not as high as the PHP ones, but is worth mentioning. The following non-shortest form for the char U+1000:

> 0xF0 0x81 0x80 0x80

is allowed, as well as the correct shortest form:

> 0xE1 0x80 0x80

Note that this problem is only present on the 4 bytes representation.

You can track this bug at:  
https://bugzilla.mozilla.org/show\_bug.cgi?id=522634

Anyway, that's all! Thanks for your time :)

Greetings!!

CVE-2010-3870: A couple of unicode issues on PHP and Firefox

FaceTime in Apple iOS before 4.1 on the iPhone and iPod touch does not properly handle invalid X.509 certificates, which allows man-in-the-middle attackers to redirect calls via a crafted certificate.

CVE-2010-1810

Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via vectors involving IOSurface properties, as demonstrated by JailbreakMe.

    The files contained in the archive link below are those that make use of a pdf exploit in order to jailbreak devices running Apple iOS.  These pdf's are of interest in that they originate in userland and give root access to the devices.
    
    https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/14538.7z (ios_pdf_exploit.7z)

CVE-2010-2973: Offensive Security’s Exploit Database Archive

Race condition in Passcode Lock in Apple iOS before 4 on the iPhone and iPod touch allows physically proximate attackers to bypass intended passcode requirements, and pair a locked device with a computer and access arbitrary data, via vectors involving the initial boot.

CVE-2010-1775

The Settings application in Apple iOS before 4 on the iPhone and iPod touch does not properly report the wireless network that is in use, which might make it easier for remote attackers to trick users into communicating over an unintended network.

Privacy Statement Terms & Conditions Cookie Policy Accessibility Statement Do Not Sell My Personal Information (for CA)

© 2021 Accenture. All Rights Reserved.

CVE-2010-1756: Bugtraq

WebKit in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the history.replaceState method in certain situations involving IFRAME elements, which allows remote attackers to obtain sensitive information via a crafted HTML document.

CVE-2010-1407: About the security content of iOS 4

Use-after-free vulnerability in JavaScriptCore in WebKit in Apple iTunes before 9.2 on Windows, and Apple iOS before 4 on the iPhone and iPod touch, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to page transitions, a different vulnerability than CVE-2010-1763 and CVE-2010-1769.

For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CVE-2010-1387

Cerulean Studios Trillian 3.1 Basic does not check SSL certificates during MSN authentication, which allows remote attackers to obtain MSN credentials via a man-in-the-middle attack with a spoofed SSL certificate.

CVE-2009-4831: Bugtraq

Multiple heap-based buffer overflows in the AudioCodecs library in the CoreAudio component in Apple iPhone OS before 3.1, and iPhone OS before 3.1.1 for iPod touch, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted (1) AAC or (2) MP3 file, as demonstrated by a ringtone with malformed entries in the sample size table.

This document describes the security content of iOS 3.1 and iOS 3.1.1 for iPod touch.

This article has been archived and is no longer updated by Apple.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

**iOS 3.1 and iOS 3.1.1 for iPod touch**

*   **CoreAudio**
    
    CVE-ID: CVE-2009-2206
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: Opening a maliciously crafted AAC or MP3 file may lead to an unexpected application termination or arbitrary code execution
    
    Description: A heap buffer overflow exists in the handling of AAC or MP3 files. Opening a maliciously crafted AAC or MP3 file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
    

*   **Exchange Support**
    
    CVE-ID: CVE-2009-2794
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: A person with physical access to a device may be able to use it after the timeout period specified by an Exchange administrator
    
    Description: iOS provides the ability to communicate via services provided by a Microsoft Exchange server. An administrator of an Exchange server has the ability to specify a "Maximum inactivity time lock" setting. This requires the user to reenter their passcode after the expiration of the inactivity time in order to use the Exchange services. iOS allows a user to specify a "Require Passcode" setting that may extend up to 4 hours. The "Require Passcode" setting is not affected by the "Maximum inactivity time lock" setting. If the user has "Require Passcode" set to a value higher than the "Maximum inactivity time lock" setting, this would allow a window of time for a person with physical access to use the device, including Exchange services. This update addresses the issue by disabling user choices for "Require Passcode" values greater than the "Maximum inactivity time lock" setting. This issue only affects iOS 2.0 and later, and iOS for iPod touch 2.0 and later. Credit to Allan Steven, Robert Duran, Jeff Beckham of PepsiCo, Joshua Levitsky, Michael Breton of Intel Corporation, Mike Karban of Edward Jones, and Steve Moriarty of Agilent Technologies for reporting this issue.
    

*   **MobileMail**
    
    CVE-ID: CVE-2009-2207
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: Deleted email messages may still be visible through a Spotlight search
    
    Description: Spotlight finds and allows access to deleted messages in Mail folders on the device. This would allow a person with access to the device to view the deleted messages. This update addresses the issue by not including the deleted email in the Spotlight search result. This issue only affects iOS 3.0, iOS 3.0.1, and iOS for iPod touch 3.0. Credit to Clickwise Software and Tony Kavadias for reporting this issue.
    

*   **Recovery Mode**
    
    CVE-ID: CVE-2009-2795
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: A person with physical access to a locked device may be able to access the user's data
    
    Description: A heap buffer overflow exists in Recovery Mode command parsing. This may allow another person with physical access to the device to bypass the passcode, and access the user's data. This update addresses the issue through improved bounds checking.
    

*   **Telephony**
    
    CVE-ID: CVE-2009-2815
    
    Available for: iOS 1.0 through 3.0.1
    
    Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption
    
    Description: A null pointer dereference issue exists in the handling of SMS arrival notifications. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption. This update addresses the issue through improved handling of incoming SMS messages. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin for reporting this issue.
    

*   **UIKit**
    
    CVE-ID: CVE-2009-2796
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: Passwords may be made visible
    
    Description: When a character in a password is deleted, and the deletion is undone, the character is briefly made visible. This may allow a person with physical access to the device to read a password, one character at a time. This update addresses the issue by preventing the character from being made visible. This issue only affects iOS 3.0 and iOS 3.0.1. Credit to Abraham Vegh for reporting this issue.
    

*   **WebKit**
    
    CVE-ID: CVE-2009-2797
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: User names and passwords in URLs may be disclosed to linked sites
    
    Description: Safari includes the user name and password from the original URL in the referer header. This may lead to the disclosure of sensitive information. This update addresses the issue by not including user names and passwords in referer headers. Credit to James A. T. Rice of Jump Networks Ltd for reporting this issue.
    

*   **WebKit**
    
    CVE-ID: CVE-2009-1725
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
    
    Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
    

*   **WebKit**
    
    CVE-ID: CVE-2009-1724
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
    
    Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
    

*   **WebKit**
    
    CVE-ID: CVE-2009-2199
    
    Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
    
    Impact: Look-alike characters in a URL could be used to masquerade a website
    
    Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.
    

Published Date: January 28, 2016

Tag

#ios