Apple PDF Crasher - A Denial of Service Vulnerability of Apple PDF rendering engine

Japanese

About

Apple's PDF rendering engine has a denial of service vulnerability. When open specially crafted PDF file with applications which uses apple's PDF rendering enigne, they will crash.

Affected versions

How to exploit

  1. add following configurations to /etc/ghostscript/(your_version)/cidfmap.local (The path is for Fedora)
    This configurations are necessary to use Japanese characters in gnuplot.
    /GothicBBB-Medium << /FileType /TrueType /Path (/usr/share/fonts/vlgothic/VL-Gothic-Regular.ttf) /SubfontID 0 /CSI [(Japan1) 2] >> ;
    /Ryumin-Light << /FileType /TrueType /Path (/usr/share/fonts/ipa-mincho/ipam.ttf) /SubfontID 0 /CSI [(Japan1) 4] >> ;
    
  2. Create EPS graphic file including Japanese Character using gnuplot
  3. Create PDF file which includes the EPS graphic file using platex and dvipdfmx

Report

This vulnerability had been reported through IPA at an year ago, but the vendor did not consider this problem as vulnerability. So this vulnerability is still exploitable.

CVSS 2.0 Base Score Evaluation

Access VectorNetwork
Access ComplexityLow
AuthenticationNone
Confidentiality ImpactNone
Integrity ImpactNone
Availability ImpactComplete
Base Score7.8

Workaround

For PDF creators

There is no workaround since using Japanese in gnuplot. When use Japanese in gnuplot, set terminal pdf instead of eps format.

For Users

For OS X: Use other PDF viewer such as Google Chrome instead of Apple's PDF viewer.
For iOS: I don't have any workaround. Chrome for iOS crashes.

Exploit Code

PDF
Sources (need Japanese support for your LaTeX and ghostscript)

Acknowledgement

All experiments on MAC OS X is done by nvsofts.

Changelog