Parsing bugs of the week
February 5, 2013  

  1. Opening “File:///“ will crash most applications on Mac OS X.

    This one’s great because it’s simple, and it’s both a parsing bug and what I’m going call a Postel bug. Two for one!

    0x0 explains the bug:

    From the openradar bug, it is obvious that the bug is inside the “Data Detectors” thing. Looks like it triggers on anything starting with file:// (+/) case-insensitive, but then something later in the data extraction makes the incorrect assumption that the string should start with file:// (+/) lowercase, and throws an assert.

    So, the parsing bug is that the parser is rejecting “File:///“, which is a perfectly valid URL; RFC 1738: Uniform Resource Locators (URL) says:

    Scheme names consist of a sequence of characters. The lower case letters “a”–”z”, digits, and the characters plus (“+”), period (“.”), and hyphen (“-“) are allowed. For resiliency, programs interpreting URLs should treat upper case letters as equivalent to lower case in scheme names (e.g., allow “HTTP” as well as “http”).

    The Postel bug is that there are two pieces of code that look at the URL, and they have different ideas about what is a valid URL.

  2. The evasi0n jailbreak.

    The evasi0n jailbreak breaks the security of iOS 6.1 so that you can modify your iPhone as you like. Here’s one of the key steps, according to the above-linked post by Braden Thomas:

    Next, evasi0n tells the user it is stroking lockdownd. What that actually means is evasi0n is sending a malformed PairRequest command to lockdownd. Lockdownd is the main daemon that operates on commands received over USB, and is used to start/stop other services, such as MobileBackup and AFC. Since lockdownd runs as root and the user can communicate to it, abusing it to perform unintended tasks has become common in recent jailbreaks.

    Furthermore,

    Then evasi0n sends another malformed PairRequest packet to lockdownd, causing /var/tmp/launchd/sock to become accessible to the mobile user.

    What we have here are two uses of “malformed” inputs. The word “malformed” is a strong indication that the inputs should have been discarded by the parser.

    Apple needs to rewrite lockdownd with a proper parser.