what a terrible pun

Todd Manning, a.k.a. gammah has found a hole in Bonsoir. As it turns out, running on caffeine at four in the morning, I write some pretty terrible code ;)

The crux of the flaw is that Bonsoir writes the NSData object it receives over the NSSocketPort straight to /tmp/%@.vcf, meaning that its possible to send a file that would over-write another file via a relative path on the system (such as ../../../../Users/tyler/.ssh/authorized_keys). Todd told me that he's tried as hard as he could to get the host machine to execute code, but it won't, so the flaw is not too major (see: stupid) but it does allow files to be overwritten over the network (if you fetch a user's flawed vCard).

While not a huge problem (given the number of Bonsoir users is in single digits), it is a pretty careless mistake on my part; whoops. Here's Todd's patch to the current version of Bonsoir

Todd wrote up a bit of an Bonsoir + exploit extension application, that he's deemed "BoneSaw" (Todd is about as creative as mashed potatoes). I've mirrored and uploaded a screenshot of "BoneSaw" which can be found here.



[tags: bonsoir, bonesaw, exploit, cocoa, iwirtebadcodewhentired]

• Posted: 27/09/06 01:05PM
• Category: Programmr

Write reply