DoS exploit crashes iOS/OSX devices using WebKit (opens in new tab)

(translate.google.com)

116 pointsluastoned12y ago84 comments

84 comments

67 comments · 27 top-level

adamzegelin12y ago· 11 in thread

This isn't a bug inside WebKit. It's a bug inside Apples CoreText font rendering framework.

A `curl https://zhovner.com/tmp/killwebkit.html` in iTerm2 crashes as well.

    Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
    0   libvDSP.dylib                   0x00007fff9080ead6 0x7fff907f2000 + 117462
    1   com.apple.CoreText              0x00007fff8892cd5c TRun::TRun(TRun const&, CFRange, TRun::SubrangingStyle) + 850
    2   com.apple.CoreText              0x00007fff8892c9ee CTGlyphRun::CloneRange(CTRun const*, CFRange, TRun::SubrangingStyle) + 142
    3   com.apple.CoreText              0x00007fff8893b764 TLine::SetLevelRange(CFRange, unsigned char, bool) + 162
    ⋮
    8   com.googlecode.iterm2           0x000000010003ce63 -[PTYTextView(Private) drawRun:ctx:initialPoint:] + 99
    9   com.googlecode.iterm2           0x000000010003d498 -[PTYTextView(Private) _drawRuns:runs:] + 344
    ⋮
    41  com.googlecode.iterm2           0x0000000100001bd4 start + 52

brokenparser12y ago

It's a bug inside Apples CoreText font rendering framework

So that means anywhere the string could appear, the application that has CoreText render the string crashes? Makes me wonder if it'd work by just broadcasting the string as an SSID and wait for someone to look up available networks, or sending text files to bluetooth devices with an Apple mac address. That would be cool, on a bus, in a crowded city, during rush hour.

mmastrac12y ago

WARNING: the 404 page above is definitely NSFW (likely due to HN adding the backtick to the URL).

harrytuttle12y ago

That's another goatse as far as I'm concerned! Time to scrub my eyeballs...

ballard12y ago

Nice.

on iOS:

    Thread 0 name: Dispatch queue: com.apple.main-thread
    Thread 0:
    0 libsystem_kernel.dylib 0x3a315e30 mach_msg_trap + 20
    1 libsystem_kernel.dylib 0x3a315fd0 mach_msg + 48
    2 CoreFoundation 0x3210c2b6 __CFRunLoopServiceMachPort + 126
    3 CoreFoundation 0x3210afd6 __CFRunLoopRun + 814
    4 CoreFoundation 0x3207e238 CFRunLoopRunSpecific + 352
    5 CoreFoundation 0x3207e0c4 CFRunLoopRunInMode + 100
    6 GraphicsServices 0x35c5d336 GSEventRunModal + 70
    7 UIKit 0x33f9a2b4 UIApplicationMain + 1116
    8 MobileSafari 0x000ff36e 0xf2000 + 54126
    9 libdyld.dylib 0x3a25fb1c start + 0

...

    Thread 2 name:  WebThread
    Thread 2 Crashed:
    0   WebCore                       	0x382fe95a WebCore::ComplexTextController::adjustGlyphsAndAdvances() + 522
    1   WebCore                       	0x382fb94e WebCore::ComplexTextController::ComplexTextController(WebCore::Font const*, WebCore::TextRun const&, bool, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, bool) + 318
    2   WebCore                       	0x382fb806 WebCore::ComplexTextController::ComplexTextController(WebCore::Font const*, WebCore::TextRun const&, bool, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, bool) + 18
    3   WebCore                       	0x382ff990 WebCore::Font::getGlyphsAndAdvancesForComplexText(WebCore::TextRun const&, int, int, WebCore::GlyphBuffer&, WebCore::Font::ForTextEmphasisOrNot) const + 56
    4   WebCore                       	0x382ff862 WebCore::Font::drawComplexText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const + 150
    5   WebCore                       	0x3808

PS: I love the C++ namespace 'WTF.'

EDIT: complete dump https://gist.github.com/6374524

taspeotis12y ago

> PS: I love the C++ namespace 'WTF.'

I believe that namespace has diagnostic functions that help you answer the question "What's This Function?".

So stack trace helpers, and the like.

3 more replies

K0nserv12y ago

Curling the URL was one of the first things I tried, but I found it actually does work perfectly fine for me.

Corrado12y ago

Yes, I cannot reproduce the crash on OS X 10.8.4 and iTerm2 1.0.0.20130624. Maybe Apple has fixed it in the latest OS patch.

UPDATE: It does kill Chrome 31 (individual tab) and Safari 6.0.5 (the whole browser!).

jamescun12y ago

I just tried this inside Terminal.app (with a ZSH shell) on 10.8.3 and it just outputs a string, doesn't crash or cause any problems otherwise.

http://i.imgur.com/wQ6u8cq.png

FredericJ12y ago

This bug has been reported to Apple already and it's been fixed in Mavericks.

I also believe it's been fixed in iOS7 because they did a lot of changes to the text rendering libraries.

thousande12y ago

http://www.paulirish.com/2013/webkit-for-developers/

blumentopf12y ago

Starting from which version? CoreText 1.0.4 is not affected.

peter_tonoli12y ago· 6 in thread

Seems to be a pretty devastating problem if you send the exploit text to someone in iMessage. Makes the phone immediately crash - when the phone has been restarted and the user clicks on "messages", it crashes again - I think that it'll need a system restore / hacking of the Messages datastore to fix.

Put the exploit text into the SSID for an iOS personal hotspot - crashes iOS devices when they scan for SSID's to connect to.

nickles12y ago

It can be fixed by sending the attack again, then deleting the entire chat history with the attacker. (According to a comment the report linked to.)

pessimizer12y ago

Actually, just by the attacker sending a long enough text message to push the attack off the screen - which you can do yourself by sending a long text message to yourself from another phone, then forwarding that message to the attacker.

nwh12y ago

Using Unicode crashes my router, I learnt that previously.

voltagex_12y ago

Terrible router firmware strikes again. Which router are you using?

zhovner12y ago

Did you test SSID?

peter_tonoli12y ago

As soon as the device found the exploited SSID name, the SSID selector would restart/crash, meaning that the user couldn't select a new SSID.

DanielRibeiro12y ago· 6 in thread

Pretty interesting discovery.

Direct link: (WARNING THIS CAN KILL WEBKIT) https://zhovner.com/tmp/killwebkit.html

semenko12y ago

And a similar tweet: (WARNING / CRASH) https://twitter.com/daken_/status/303784082599456768

tgkokk12y ago

Didn't crash for me on Chrome (Stable) in the first place, but when I tried to translate the page it did.

tuananh12y ago

works fine on Chrome dev running on ML.

1 more reply

signed012y ago

Seems to crash the tab in Chrome 29 on OSX.

jchimney12y ago

not crashing safari for me... Mavericks beta.

johnpowell12y ago

Safari crashes on 10.8.4 for me.

mukundmr12y ago· 4 in thread

Works pretty good, LOL. I hope it gets fixed ASAP. You can try it out and report via the browser feedback information.

nwh12y ago

It's fixed in 10.9 and iOS7, so I imagine they'll backport a patch at some point.

Though it's only a matter of time before somebody posts it here as a comment.

zbowling12y ago

Unlikely. iOS7 and 10.9 use TextKit which wraps CoreText and in turn they have dramatically enhanced CoreText in the process. The code is unlikely to be compatible. It will likely require a patch for the older code.

1 more reply

untog12y ago

Another argument for decoupling apps from OS. Would be great if this could be an update to a Safari app in the App Store...

1 more reply

joeblau12y ago

Is 10.9 usable?

3 more replies

chroman12y ago· 3 in thread

I don't know why, but I realized that CoreText is crashing with this combination of three Unicode characters

http://tny.cz/87a09a7c

mannix12y ago

in js: console.log("\u062E \u0337\u0334\u0310\u062E")

chroman12y ago

I posted a combination with 5 different characters.

This is also working:

\u062E \u0310\u0310\u0310\u062E

coob12y ago

Well it's already fixed in Mavericks then.

prawn12y ago· 2 in thread

My Chrome (in OSX) tab crashes even scrolling past half-way in this comments thread. Doesn't happen in other comment threads or in Safari or Firefox. Any idea why?

I use the HN comment collapse extension plus AdBlock, Ghostery, etc. Some sort of link pre-fetching I'm not aware of?

sp33212y ago

A couple people had posted the text here. If you have showdead off you should be OK for now.

Geee12y ago

It happens here as well, Chrome on OSX.

syncopate12y ago· 2 in thread

I've been looking at the stack trace in gdb a bit. And it seems that inside CoreText TStorageRange::SetStorageSubRange calls

    void vDSP_sveD(double *__vDSP_A, vDSP_Stride __vDSP_I, double *__vDSP_C, vDSP_Length __vDSP_N)

with a negative length argument.

yuhong12y ago

Wonder if it is exploitable.

syncopate12y ago

AFAIU, the length is negative but it is then treated as an unsigned integer by vDSP_sveD. So the function iterates over the given vector until there is a memory exception (As the length is very close to to UINT_MAX). It doesn't look very exploitable to me but it is surely annoying. I've found it a bit odd that neither TStorageRange::SetStorageSubRange nor vDSP_sveD do any kind of sanity checks for the values they calculate or which are passed to them.

sanxiyn12y ago· 2 in thread

This seems to be a kind of bug that would be found by fuzz testing. Is apple not using fuzz testing, or what's going on?

zurn12y ago

What kind of fuzzing heuristic would have found this in the haystack of Unicode permutations?

Dylan1680712y ago

Well it's not just a single permutation. It'll take some deeper analysis to see how much fuzzing would be needed to find this bug.

jonchang12y ago· 1 in thread

Anyone know what Apple's timeline on patches for bugs like this are? TFA says that they've known about this for 6 months now.

potatolicious12y ago

Usually this sort of bug would fall under "next point release". No privilege escalation, no potential for leaking private data - i.e., no giant legal/PR disaster waiting to happen means they will likely defer a patch until the next scheduled point release.

augbot12y ago· 1 in thread

People should put this link in the Apple Crash Report as proof.

joshstrange12y ago

You can't put in a chrome error report (The page will crash) I would assume the same will happen if you try to enter it in an Apple crash report.

chroman12y ago· 1 in thread

This crash any app. Try to paste this Unicode combination into any text field and you'll get a crash. http://tny.cz/1a56d253

chasedrgc122312y ago

Wow this actually crashes the entire Chrome browser on Mac OSX. This is the only one that fully crashes the browser instead of just the tab. The weird thing is, though, you need to copy paste it for it to crash not just view it. Weird huh

yolodicks12y ago· 1 in thread

HOW DO I FIX THIS.

neutral12y ago

send enough non malicious messages to put the malicious one out of the auto load area

open messages, delete the conversation

I had to send about 30 messages, each had about 200 words

signed012y ago

There was something similar earlier this year with typing 'File:///' in a OSX text field.

http://thenextweb.com/shareables/2013/02/02/typing-these-eig...

joeblau12y ago

I remember back in the day when you could send ̂ to people on AIM and crash their AIM clients.

beyondcompute12y ago

> Since Apple doesn't show any reaction for about half a year.

Why is this happening?

gmac12y ago

On my iPad and I can only read half the comments here, then Safari exits: looks like jmuguy rather unhelpfully posted the characters in question.

humus12y ago

Annone testen what happens when you use it as a computername? Could be a problem as well, since machines with fileshares are listed in the finders sidebar. When the SSID already produces such a screwup, that would be even worst.

snickler12y ago

Works when being e-mailed to an apple phone also. Especially if you're using and ActiveSync enabled account. It will immediately crash the mail app until that e-mail message is deleted from another client.

sigzero12y ago

Fixed in Mavericks and iOS7 apparently. So a fix is probably coming soon.

kawera12y ago

Does not crash Safari 6.0.4 (7536.29.13) on OSX 10.7.5 for me.

jmuguy12y ago

I'm really resisting sending this to my coworkers. Works via email as well, you can just turn Mail sync off and back on for the account to fix (on iOS)

lxgr12y ago

Does this also affect iOS 5 and lower? That would be really annoying, as devices stuck on that version aren't receiving updates anymore...

ryanpetrich12y ago

Here's another: http://rpetri.ch/crash/

nst02112y ago

same with

    $ python -c "u'\u0647\u0020\u0488\u0488\u0488'

source: https://twitter.com/nst021/status/316124758469120000

augbot12y ago

Just tested on iOS 7 Safari on a gen3 iPad... The font looks great!

ballard12y ago

CVE # on this?

maqr12y ago

iOS is the only platform where I don't support full disclosure, or for that matter, any disclosure. It looks doubtful that this bug would be able to be used in a jailbreak anyway, but it's certain that Apple will patch it once it's known (and especially if it could be used to jailbreak).

j / k navigate · click thread line to collapse

84 comments

67 comments · 27 top-level

adamzegelin12y ago· 11 in thread

This isn't a bug inside WebKit. It's a bug inside Apples CoreText font rendering framework.

A `curl https://zhovner.com/tmp/killwebkit.html` in iTerm2 crashes as well.

    Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
    0   libvDSP.dylib                   0x00007fff9080ead6 0x7fff907f2000 + 117462
    1   com.apple.CoreText              0x00007fff8892cd5c TRun::TRun(TRun const&, CFRange, TRun::SubrangingStyle) + 850
    2   com.apple.CoreText              0x00007fff8892c9ee CTGlyphRun::CloneRange(CTRun const*, CFRange, TRun::SubrangingStyle) + 142
    3   com.apple.CoreText              0x00007fff8893b764 TLine::SetLevelRange(CFRange, unsigned char, bool) + 162
    ⋮
    8   com.googlecode.iterm2           0x000000010003ce63 -[PTYTextView(Private) drawRun:ctx:initialPoint:] + 99
    9   com.googlecode.iterm2           0x000000010003d498 -[PTYTextView(Private) _drawRuns:runs:] + 344
    ⋮
    41  com.googlecode.iterm2           0x0000000100001bd4 start + 52

brokenparser12y ago

It's a bug inside Apples CoreText font rendering framework

mmastrac12y ago

WARNING: the 404 page above is definitely NSFW (likely due to HN adding the backtick to the URL).

harrytuttle12y ago

That's another goatse as far as I'm concerned! Time to scrub my eyeballs...

ballard12y ago

Nice.

on iOS:

    Thread 0 name: Dispatch queue: com.apple.main-thread
    Thread 0:
    0 libsystem_kernel.dylib 0x3a315e30 mach_msg_trap + 20
    1 libsystem_kernel.dylib 0x3a315fd0 mach_msg + 48
    2 CoreFoundation 0x3210c2b6 __CFRunLoopServiceMachPort + 126
    3 CoreFoundation 0x3210afd6 __CFRunLoopRun + 814
    4 CoreFoundation 0x3207e238 CFRunLoopRunSpecific + 352
    5 CoreFoundation 0x3207e0c4 CFRunLoopRunInMode + 100
    6 GraphicsServices 0x35c5d336 GSEventRunModal + 70
    7 UIKit 0x33f9a2b4 UIApplicationMain + 1116
    8 MobileSafari 0x000ff36e 0xf2000 + 54126
    9 libdyld.dylib 0x3a25fb1c start + 0

...

    Thread 2 name:  WebThread
    Thread 2 Crashed:
    0   WebCore                       	0x382fe95a WebCore::ComplexTextController::adjustGlyphsAndAdvances() + 522
    1   WebCore                       	0x382fb94e WebCore::ComplexTextController::ComplexTextController(WebCore::Font const*, WebCore::TextRun const&, bool, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, bool) + 318
    2   WebCore                       	0x382fb806 WebCore::ComplexTextController::ComplexTextController(WebCore::Font const*, WebCore::TextRun const&, bool, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, bool) + 18
    3   WebCore                       	0x382ff990 WebCore::Font::getGlyphsAndAdvancesForComplexText(WebCore::TextRun const&, int, int, WebCore::GlyphBuffer&, WebCore::Font::ForTextEmphasisOrNot) const + 56
    4   WebCore                       	0x382ff862 WebCore::Font::drawComplexText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const + 150
    5   WebCore                       	0x3808

PS: I love the C++ namespace 'WTF.'

EDIT: complete dump https://gist.github.com/6374524

taspeotis12y ago

> PS: I love the C++ namespace 'WTF.'

I believe that namespace has diagnostic functions that help you answer the question "What's This Function?".

So stack trace helpers, and the like.

3 more replies

K0nserv12y ago

Curling the URL was one of the first things I tried, but I found it actually does work perfectly fine for me.

Corrado12y ago

Yes, I cannot reproduce the crash on OS X 10.8.4 and iTerm2 1.0.0.20130624. Maybe Apple has fixed it in the latest OS patch.

UPDATE: It does kill Chrome 31 (individual tab) and Safari 6.0.5 (the whole browser!).

jamescun12y ago

I just tried this inside Terminal.app (with a ZSH shell) on 10.8.3 and it just outputs a string, doesn't crash or cause any problems otherwise.

http://i.imgur.com/wQ6u8cq.png

FredericJ12y ago

This bug has been reported to Apple already and it's been fixed in Mavericks.

I also believe it's been fixed in iOS7 because they did a lot of changes to the text rendering libraries.

thousande12y ago

http://www.paulirish.com/2013/webkit-for-developers/

blumentopf12y ago

Starting from which version? CoreText 1.0.4 is not affected.

peter_tonoli12y ago· 6 in thread

Put the exploit text into the SSID for an iOS personal hotspot - crashes iOS devices when they scan for SSID's to connect to.

nickles12y ago

It can be fixed by sending the attack again, then deleting the entire chat history with the attacker. (According to a comment the report linked to.)

pessimizer12y ago

nwh12y ago

Using Unicode crashes my router, I learnt that previously.

voltagex_12y ago

Terrible router firmware strikes again. Which router are you using?

zhovner12y ago

Did you test SSID?

peter_tonoli12y ago

As soon as the device found the exploited SSID name, the SSID selector would restart/crash, meaning that the user couldn't select a new SSID.

DanielRibeiro12y ago· 6 in thread

Pretty interesting discovery.

Direct link: (WARNING THIS CAN KILL WEBKIT) https://zhovner.com/tmp/killwebkit.html

semenko12y ago

And a similar tweet: (WARNING / CRASH) https://twitter.com/daken_/status/303784082599456768

tgkokk12y ago

Didn't crash for me on Chrome (Stable) in the first place, but when I tried to translate the page it did.

tuananh12y ago

works fine on Chrome dev running on ML.

1 more reply

signed012y ago

Seems to crash the tab in Chrome 29 on OSX.

jchimney12y ago

not crashing safari for me... Mavericks beta.

johnpowell12y ago

Safari crashes on 10.8.4 for me.

mukundmr12y ago· 4 in thread

Works pretty good, LOL. I hope it gets fixed ASAP. You can try it out and report via the browser feedback information.

nwh12y ago

It's fixed in 10.9 and iOS7, so I imagine they'll backport a patch at some point.

Though it's only a matter of time before somebody posts it here as a comment.

zbowling12y ago

1 more reply

untog12y ago

Another argument for decoupling apps from OS. Would be great if this could be an update to a Safari app in the App Store...

1 more reply

joeblau12y ago

Is 10.9 usable?

3 more replies

chroman12y ago· 3 in thread

I don't know why, but I realized that CoreText is crashing with this combination of three Unicode characters

http://tny.cz/87a09a7c

mannix12y ago

in js: console.log("\u062E \u0337\u0334\u0310\u062E")

chroman12y ago

I posted a combination with 5 different characters.

This is also working:

\u062E \u0310\u0310\u0310\u062E

coob12y ago

Well it's already fixed in Mavericks then.

prawn12y ago· 2 in thread

My Chrome (in OSX) tab crashes even scrolling past half-way in this comments thread. Doesn't happen in other comment threads or in Safari or Firefox. Any idea why?

I use the HN comment collapse extension plus AdBlock, Ghostery, etc. Some sort of link pre-fetching I'm not aware of?

sp33212y ago

A couple people had posted the text here. If you have showdead off you should be OK for now.

Geee12y ago

It happens here as well, Chrome on OSX.

syncopate12y ago· 2 in thread

I've been looking at the stack trace in gdb a bit. And it seems that inside CoreText TStorageRange::SetStorageSubRange calls

    void vDSP_sveD(double *__vDSP_A, vDSP_Stride __vDSP_I, double *__vDSP_C, vDSP_Length __vDSP_N)

with a negative length argument.

yuhong12y ago

Wonder if it is exploitable.

syncopate12y ago

sanxiyn12y ago· 2 in thread

This seems to be a kind of bug that would be found by fuzz testing. Is apple not using fuzz testing, or what's going on?

zurn12y ago

What kind of fuzzing heuristic would have found this in the haystack of Unicode permutations?

Dylan1680712y ago

Well it's not just a single permutation. It'll take some deeper analysis to see how much fuzzing would be needed to find this bug.

jonchang12y ago· 1 in thread

Anyone know what Apple's timeline on patches for bugs like this are? TFA says that they've known about this for 6 months now.

potatolicious12y ago

augbot12y ago· 1 in thread

People should put this link in the Apple Crash Report as proof.

joshstrange12y ago

You can't put in a chrome error report (The page will crash) I would assume the same will happen if you try to enter it in an Apple crash report.

chroman12y ago· 1 in thread

This crash any app. Try to paste this Unicode combination into any text field and you'll get a crash. http://tny.cz/1a56d253

chasedrgc122312y ago

yolodicks12y ago· 1 in thread

HOW DO I FIX THIS.

neutral12y ago

send enough non malicious messages to put the malicious one out of the auto load area

open messages, delete the conversation

I had to send about 30 messages, each had about 200 words

signed012y ago

There was something similar earlier this year with typing 'File:///' in a OSX text field.

http://thenextweb.com/shareables/2013/02/02/typing-these-eig...

joeblau12y ago

I remember back in the day when you could send ̂ to people on AIM and crash their AIM clients.

beyondcompute12y ago

> Since Apple doesn't show any reaction for about half a year.

Why is this happening?

gmac12y ago

On my iPad and I can only read half the comments here, then Safari exits: looks like jmuguy rather unhelpfully posted the characters in question.

humus12y ago

snickler12y ago

sigzero12y ago

Fixed in Mavericks and iOS7 apparently. So a fix is probably coming soon.

kawera12y ago

Does not crash Safari 6.0.4 (7536.29.13) on OSX 10.7.5 for me.

jmuguy12y ago

I'm really resisting sending this to my coworkers. Works via email as well, you can just turn Mail sync off and back on for the account to fix (on iOS)

lxgr12y ago

Does this also affect iOS 5 and lower? That would be really annoying, as devices stuck on that version aren't receiving updates anymore...

ryanpetrich12y ago

Here's another: http://rpetri.ch/crash/

nst02112y ago

same with

    $ python -c "u'\u0647\u0020\u0488\u0488\u0488'

source: https://twitter.com/nst021/status/316124758469120000

augbot12y ago

Just tested on iOS 7 Safari on a gen3 iPad... The font looks great!

ballard12y ago

CVE # on this?

maqr12y ago

j / k navigate · click thread line to collapse