Apple PDF Crasher - A Denial of Service Vulnerability of Apple PDF rendering engine

About

Apple's PDF rendering engine has a denial of service vulnerability. When open specially crafted PDF file with applications which uses apple's PDF rendering enigne, they will crash.

Affected versions

All versions of PDF rendering engine included MAC OS X
All versions of PDF rendering engine included iOS

How to exploit

add following configurations to /etc/ghostscript/(your_version)/cidfmap.local (The path is for Fedora)
This configurations are necessary to use Japanese characters in gnuplot.

/GothicBBB-Medium << /FileType /TrueType /Path (/usr/share/fonts/vlgothic/VL-Gothic-Regular.ttf) /SubfontID 0 /CSI [(Japan1) 2] >> ;
/Ryumin-Light << /FileType /TrueType /Path (/usr/share/fonts/ipa-mincho/ipam.ttf) /SubfontID 0 /CSI [(Japan1) 4] >> ;

Create EPS graphic file including Japanese Character using gnuplot
Create PDF file which includes the EPS graphic file using platex and dvipdfmx

Report

This vulnerability had been reported through IPA at an year ago, but the vendor did not consider this problem as vulnerability. So this vulnerability is still exploitable.

CVSS 2.0 Base Score Evaluation

Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	Complete
Base Score	7.8

Workaround

For PDF creators

~~There is no workaround since using Japanese in gnuplot.~~ When use Japanese in gnuplot, set terminal pdf instead of eps format.

For Users

For OS X: Use other PDF viewer such as Google Chrome instead of Apple's PDF viewer.
For iOS: I don't have any workaround. Chrome for iOS crashes.

Exploit Code

PDF
Sources (need Japanese support for your LaTeX and ghostscript)

Acknowledgement

All experiments on MAC OS X is done by nvsofts.

Changelog

2015/1/23 14:00 (JST) Change workaround for iOS users.
2015/1/22 19:00 (JST) Add CVSS 2.0 Base Score
2015/1/21 19:15 (JST) Add workaround