Sign-up

ID

VAR-201008-0309


CVE

CVE-2010-1801


TITLE

Apple Mac OS X of CoreGraphics Heap-based buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2010-001972

DESCRIPTION

Heap-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file. Apple Mac OS X is prone to a heap-based buffer-overflow vulnerability that affects 'Preview.app' in the CoreGraphics component. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition. This issue affects the following: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6.4 Mac OS X Server 10.6.4. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Apple CoreGraphics (Preview) Memory Corruption when parsing PDF files CVE-2010-1801 INTRODUCTION Apple Preview.app is the default application used in Apple MacOS systems in order to visualize PDF files and does not properly parse PDF files, which leads to memory corruption when opening a malformed file with an invalid size on JBIG2 structure at offset 0x2C1 as in PoC Repro1.pdf or offset 0x2C5 as in PoC Repro2.pdf (both values trigger the same vulnerability). This problem was confirmed in the following versions of Apple Preview and MacOS, other versions may be also affected. The problem is triggered by PoCs available to interested parts which causes invalid memory access in all the refered versions. DETAILS Changing offset 0x2C1: 0xdee8600 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3764>: xor %esi,%esi 0xdee8602 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3766>: mov -0x7c(%ebp),%edx 0xdee8605 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3769>: mov -0x118(%ebp),%eax 0xdee860b <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3775>: mov -0x7c(%ebp),%ecx 0xdee860e <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3778>: inc %edx 0xdee860f <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3779>: cmp 0x8(%eax),%ecx 0xdee8612 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3782>: jae 0xdee861a <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3790> 0xdee8614 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3784>: mov 0xc(%eax),%eax 0xdee8617 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3787>: mov %esi,(%eax,%edi,1) <----- Crash (gdb) i r $esi $eax $edi esi 0xc79e860 209315936 eax 0x0 0 edi 0x0 0 (gdb) bt #0 0x0dee8617 in JBIG2Stream::readSymbolDictSeg () #1 0x0dee4f0f in JBIG2Stream::readSegments () #2 0x0dee4b5e in JBIG2Stream::reset () #3 0x0dee499b in read_bytes () #4 0x96d33f32 in jbig2_filter_refill () #5 0x96a4b56c in CGPDFSourceRefill () #6 0x96a4b402 in CGPDFSourceRead () Changing offset 0x2C5: 0xdeb52dc <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2960>: inc %esp 0xdeb52dd <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2961>: and $0x4,%al 0xdeb52df <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2963>: add %al,(%eax) 0xdeb52e1 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2965>: add %al,(%eax) 0xdeb52e3 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2967>: mov %edx,(%esp) 0xdeb52e6 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2970>: call 0xdeb2a96 <_ZN11JBIG2Stream17readGenericBitmapEiiiiiiP11JBIG2BitmapPiS2_i> 0xdeb52eb <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2975>: mov -0x94(%ebp),%ecx 0xdeb52f1 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2981>: mov %eax,(%ecx) <----- Crash (gdb) i r $eax $ecx eax 0xc79b640 209303104 ecx 0x0 0 (gdb) bt #0 0x0deb52f1 in JBIG2Stream::readSymbolDictSeg () #1 0x0deb1f0f in JBIG2Stream::readSegments () #2 0x0deb1b5e in JBIG2Stream::reset () #3 0x0deb199b in read_bytes () #4 0x96d33f32 in jbig2_filter_refill () #5 0x96a4b56c in CGPDFSourceRefill () #6 0x96a4b402 in CGPDFSourceRead () #7 0x96aa3c8f in CGAccessSessionGetChunks () CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies

Trust: 2.16

sources: NVD: CVE-2010-1801 // JVNDB: JVNDB-2010-001972 // BID: 42653 // VULHUB: VHN-44406 // VULMON: CVE-2010-1801 // PACKETSTORM: 93171

AFFECTED PRODUCTS

vendor:applemodel:coregraphicsscope: - version: -

Trust: 1.4

vendor:applemodel:coregraphicsscope:eqversion:*

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.6.4

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.5.8

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.5.8

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.6.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.6.4

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6.4

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.3

sources: BID: 42653 // JVNDB: JVNDB-2010-001972 // CNNVD: CNNVD-201008-294 // NVD: CVE-2010-1801

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1801
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-1801
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201008-294
value: MEDIUM

Trust: 0.6

VULHUB: VHN-44406
value: MEDIUM

Trust: 0.1

VULMON: CVE-2010-1801
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-1801
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-44406
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-44406 // VULMON: CVE-2010-1801 // JVNDB: JVNDB-2010-001972 // CNNVD: CNNVD-201008-294 // NVD: CVE-2010-1801

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-44406 // JVNDB: JVNDB-2010-001972 // NVD: CVE-2010-1801

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201008-294

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201008-294

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-001972

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-44406

PATCH
title:HT4312url:http://support.apple.com/kb/HT4312
Trust: 0.8
title:HT4312url:http://support.apple.com/kb/HT4312?viewlocale=ja_JP
Trust: 0.8
title: - url:https://github.com/0xCyberY/CVE-T4PDF 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2010-1801 // 
            
            
            
            JVNDB: JVNDB-2010-001972

EXTERNAL IDS
db:NVDid:CVE-2010-1801
Trust: 3.0
db:SECTRACKid:1024359
Trust: 2.6
db:JVNDBid:JVNDB-2010-001972
Trust: 0.8
db:CNNVDid:CNNVD-201008-294
Trust: 0.7
db:APPLEid:APPLE-SA-2010-08-24-1
Trust: 0.6
db:BIDid:42653
Trust: 0.5
db:PACKETSTORMid:93171
Trust: 0.2
db:VULHUBid:VHN-44406
Trust: 0.1
db:VULMONid:CVE-2010-1801
Trust: 0.1
sources:
            
            
            VULHUB: VHN-44406 // 
            
            
            
            VULMON: CVE-2010-1801 // 
            
            
            
            BID: 42653 // 
            
            
            
            JVNDB: JVNDB-2010-001972 // 
            
            
            
            PACKETSTORM: 93171 // 
            
            
            
            CNNVD: CNNVD-201008-294 // 
            
            
            
            NVD: CVE-2010-1801

REFERENCES
url:http://securitytracker.com/id?1024359
Trust: 2.6
url:http://lists.apple.com/archives/security-announce/2010//aug/msg00003.html
Trust: 1.8
url:http://support.apple.com/kb/ht4312
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1801
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1801
Trust: 0.8
url:http://www.apple.com/macosx/
Trust: 0.3
url:/archive/1/513355
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/119.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.securityfocus.com/bid/42653
Trust: 0.1
url:https://github.com/0xcybery/cve-t4pdf
Trust: 0.1
url:http://www.checkpoint.com/defense/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-1801
Trust: 0.1
sources:
            
            
            VULHUB: VHN-44406 // 
            
            
            
            VULMON: CVE-2010-1801 // 
            
            
            
            BID: 42653 // 
            
            
            
            JVNDB: JVNDB-2010-001972 // 
            
            
            
            PACKETSTORM: 93171 // 
            
            
            
            CNNVD: CNNVD-201008-294 // 
            
            
            
            NVD: CVE-2010-1801

CREDITS
Rodrigo Rubira Branco of the Check Point Vulnerability Discovery Team (VDT)
Trust: 0.3
sources:
            
            
            BID: 42653

SOURCES
db:VULHUBid:VHN-44406
db:VULMONid:CVE-2010-1801
db:BIDid:42653
db:JVNDBid:JVNDB-2010-001972
db:PACKETSTORMid:93171
db:CNNVDid:CNNVD-201008-294
db:NVDid:CVE-2010-1801

LAST UPDATE DATE
2025-04-11T22:56:37.182000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-44406date:2010-11-17T00:00:00
db:VULMONid:CVE-2010-1801date:2010-11-17T00:00:00
db:BIDid:42653date:2010-09-01T18:35:00
db:JVNDBid:JVNDB-2010-001972date:2010-09-08T00:00:00
db:CNNVDid:CNNVD-201008-294date:2010-09-03T00:00:00
db:NVDid:CVE-2010-1801date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-44406date:2010-08-25T00:00:00
db:VULMONid:CVE-2010-1801date:2010-08-25T00:00:00
db:BIDid:42653date:2010-08-24T00:00:00
db:JVNDBid:JVNDB-2010-001972date:2010-09-08T00:00:00
db:PACKETSTORMid:93171date:2010-08-27T01:44:13
db:CNNVDid:CNNVD-201008-294date:2010-08-27T00:00:00
db:NVDid:CVE-2010-1801date:2010-08-25T20:00:16.767