MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities

Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.

Further information:
Apple iChat Bonjour Multiple Denial of Service VulnerabilitiesExploit: MOAB-29-01-2007.rbIn other news, "Craig Seeman cseeman (at) optonline.net" (author of Flip4Mac reviews) contacted us:

Hi,
regarding http://projects.info-pull.com/moab/MOAB-27-01-2007.html
This is what they're testing have found at this point: Flip4Mac has received reports of a QuickTime crash when playing a deliberately modified/damaged Windows Media file. There is no evidence that this has been or could be exploited to produce a security vulnerability. We have reproduced the crash and will include a fix for this in our next release.

Hmm, even Mr. Keller has kept out of his business (prolly learnt that integer overflows are useful to pop shells around, long after the initial DMG-related lessons). So anyway, better saved EIP overwrite for you:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xff806aa5
0xffff0ac7 in ___memcpy () at .../PrivateHeaders/i386/cpu_capabilities.h:228
228     in /.../PrivateHeaders/i386/cpu_capabilities.h
(gdb) i f
Stack level 0, frame at 0xbfffdc78:
eip = 0xffff0ac7 in ___memcpy (/.../PrivateHeaders/i386/cpu_capabilities.h:228); saved eip 0xdddeface
called by frame at 0xbfffdc80
source language unknown.
Arglist at 0xbfffdc70, args:
Locals at 0xbfffdc70, Previous frame's sp is 0xbfffdc74
Saved registers:
eip at 0xbfffdc70
(gdb) bt
#0  0xffff0ac7 in ___memcpy () at /.../PrivateHeaders/i386/cpu_capabilities.h:228
#1  0xdddeface in ?? ()

Sure we can fake the output. But we seriously have better stuff to do around. Like releasing a working exploit while you keep eating peanuts. Enjoy.