Yes you can!
Still bashing the pdf and what I see scares me..sure i expected some crashes, but i was pretty much sure that it wouldn’t be more than, lets say 20. right now, if i count crashes which seem to be fixed in the latest version of mavericks I dealing with a nice 74 crashes..I’m not talking about crashes which are related to each other, I’m talking 74 unique crashes introduced by severel vectors. physical or remote..
right now I’m still not sure what to do..for today i decided to bring you another pdf crash for latest os x mavericks which introduces a parallel crash of 5 ipc connected processes. involed is:
- mdworker ( one of the worst components on mac… )
Those processes crashed nearly parallel when moving the “bad pdf” around ( simply to another folder ).
To give you a raw number: From the 74 pdf crashes in total so far 30 are applicable to ios via remote vector ( safari + other browsers ) as well.
Not sure yet, but I think I will enter the stage for iPhone jailbreaking next year, as it seems not to be as difficult as expected…
Find the pdf here: tmp_mutant_1d66f2323bae6fd59916dc75d98bd1c24d59e8499d4bdc1ae10d75dabadac176
Thread 4 Crashed:
0 com.apple.CoreFoundation 0x00007fff88f7d0a4 _CFArrayReplaceValues + 20
1 com.apple.CoreFoundation 0x00007fff88f70edb CFArrayAppendValue + 123
2 com.apple.CoreGraphics 0x00007fff89f3a19f CGPDFContentStreamCreateWithStream + 79
3 com.apple.CoreGraphics 0x00007fff8a3c7fa1 CGPDFTextExtractorCreateChild + 54
4 com.apple.CoreGraphics 0x00007fff8a3c7ddb op_Do + 136
5 com.apple.CoreGraphics 0x00007fff89f31299 pdf_scanner_handle_xname + 108
when you deal with the pdf a lot you will stumble all over the op_ functions, part of the pdf state machine parser which handles are sorts of different pdf data containers. as most state machines a lot of potential bugs can be found there.
few years ago i was asked to join apples security team in paris. obviously they decided not to work with and today I’m happy with it ;DD! I’m still surprised of missing mitigations and protection mechanisms in general. anyway it is fun playing with it ;D
Hope you will have some nice hours of playing with the debugger!
The reverse engineering was done while listening to Sadie: http://www.youtube.com/watch?v=Q3Fg4Ch_9Ig