Odd Mountain Lion Crashing Bug Brings Down Nearly Any App

[coolspot18]

[QUOTE=gnasher729;16789381
And that's total nonsense. This is a bug that is very, very hard to detect. Mountain Lion has been shipping for many months without anyone complaining. It is entirely possible that the same kind of problem exists on Windows, except nobody found it.[/QUOTE]

No it's not - I can't recall the last time Windows can be crashed by merely typing a string. Considering this error is thrown by an assertion within the DataDetector, some programmer thought that this scenario could possibly occur.

[Bubba Satori]

Quote:

Originally Posted by gnasher729

Mountain Lion has been shipping for many months without anyone complaining.
It is entirely possible that the same kind of problem exists on Windows, except nobody found it.

First Prize.

Congrats.

[SlCKB0Y]

Quote:

Originally Posted by gnasher729

Once it's crashed, it's crashed, and it is impossible to do any harm. In this particular situation, the bug that is there will _always_ crash the application, so it cannot be exploited. In other cases, if a hacker finds a way to crash an app, he or she can then try to find a way to make the app do things the hacker wants it to do instead of crashing. There may be a way to do this, or there may not.

In plenty of instances the point of the exploit is to crash whatever service you're targeting with the object being that you (or your script/software) gets dropped in a terminal without requiring any authentication. Once this occurs you are free to run commands from the terminal with the same privilege level that the service was previously running with.

[msandersen]

My smartass brother sent this to me via iMessage, I heard my phone so tried opening Messenger on the Macbook. Crash. Left it at that as I was busy anyway. Later he rang and asked if I'd opened the message. Oh great! I could sense him grinning, and I knew what had happened. The iPhone can show it, so no data detector or whatever is causing it there. I turned on the iMac and checked Messages, and it crashed as soon as I opened it. Thanks a lot brother-of-mine!
Well at least it backfired on him, as his messages also crashes now, as it shows the history on opening, so he's asking ME how to fix it!

I looked through this forum, and tried the suggestion of deleting the message on the iPhone for syncing, and then deleting
~/Library/Messages/Archive/[date]/[log] on the Macbook.

Didn't work.

Checking on my iMac, there was no log for that day; Messages had crashed as it synced before logging it.
I tried the suggestion with Autocorrect, makes no difference.

Since there was no log on the iMac, it had to be somewhere else, so I backed up and opened ~/Library/Messages/chat.db in Textwrangler. There was several occurrences of the string, so I did a search and replace on File: to file:

That did it.

Messages now works again on the iMac. Time to check on the Macbook.

Well, it didn't like me writing to the chat.db, apparently in use. I let it slide for a bit. By the time I got back to it, it was after midnight, and hence the next day, and the offending code wasn't showing in the chat window anyway, so Messages worked again.

The moral: Be wary of smartass brothers.

[MacToddB]

Quote:

Originally Posted by ConCat

I don't think that's related to this.

It keeps happening to me when I try to update Xcode (1.6gb) on multiple macs, too.

[KnightWRX]

Quote:

Originally Posted by coolspot18

No it's not - I can't recall the last time Windows can be crashed by merely typing a string.

That's cool, since this isn't crashing OS X either. Just the running app.

Quote:

Originally Posted by coolspot18

Considering this error is thrown by an assertion within the DataDetector, some programmer thought that this scenario could possibly occur.

No actually, it's quite the opposite. It's probably a condition no programmer ever thought could happen.

IE, a protocol (file) that exists, but using a different case. Has anyone tried to replicate this with fIle:/// fiLe:/// or filE:/// ? This is probably related to some part of the framework doing case insentitive searches passing unmodified strings to a part of the framework doing case sensitive operations. Results in the "Found the protocol! try to do stuff... Can't do that on an unexisting protocol!".

The programmer probably thought : "protocol either is registered or not, anything else is an exception" with a nice "/* We should never get here */"

[KnightWRX]

Quote:

Originally Posted by SlCKB0Y

In plenty of instances the point of the exploit is to crash whatever service you're targeting with the object being that you (or your script/software) gets dropped in a terminal without requiring any authentication. Once this occurs you are free to run commands from the terminal with the same privilege level that the service was previously running with.

Hum... that's now how it works. Crashing an app crashes the app, it doesn't give you a terminal that's running under the user's priviledges.

I think you need to read up on what transforming a crash bug into an exploit entails, it's much more complicated that you seem to think.

I suggest this fine article : Smashing The Stack For Fun And Profit

[LV426]

Quote:

Originally Posted by coolspot18

No it's not - I can't recall the last time Windows can be crashed by merely typing a string. Considering this error is thrown by an assertion within the DataDetector, some programmer thought that this scenario could possibly occur.

It's not so many years ago when you could visit a website hosted on a Windows server, and type an address ending ::$DATA. Instead of the web page, you'd often get the source script that generates the page instead, sometimes complete with database user names and passwords if the programmer had been exceptionally careless. A hacker's friend indeed.

[chrfr]

Quote:

Originally Posted by KnightWRX

Hum... that's now how it works. Crashing an app crashes the app, it doesn't give you a terminal that's running under the user's priviledges.

Regardless, this is a denial of service vulnerability that needs to be fixed.

[Peace]

Quote:

Originally Posted by chrfr

Regardless, this is a denial of service vulnerability that needs to be fixed.

How so ? Once the app crashes it can't be re-opened by any remote computer.

That's sort of how a DDOS works. You need to have the website open to work.

Once it's closed the DDOS is no longer useful.

[chrfr]

Quote:

Originally Posted by Peace

That's sort of how a DDOS works. You need to have the website open to work.

Not a DDOS. Denial of service means that the user can't use the application as intended. If someone can send you a message that crashes your Messages app, that's a DOS.

[gnasher729]

Quote:

Originally Posted by SlCKB0Y

In plenty of instances the point of the exploit is to crash whatever service you're targeting with the object being that you (or your script/software) gets dropped in a terminal without requiring any authentication. Once this occurs you are free to run commands from the terminal with the same privilege level that the service was previously running with.

In MacOS X, you don't get dropped into any terminal. Please tell me where that kind of exploit would work in this century, and I'll tell me what kind of OS to avoid.

----------

Quote:

Originally Posted by coolspot18

No it's not - I can't recall the last time Windows can be crashed by merely typing a string. Considering this error is thrown by an assertion within the DataDetector, some programmer thought that this scenario could possibly occur.

You never heard of it on Windows. You never heard of it on a Mac before last week. And if you look at the crash dump, a programmer thought that his code _might_ be given a url that isn't a file url (always good to be careful), and got the test badly wrong. Bugs happen.

----------

Quote:

Originally Posted by msandersen

My smartass brother sent this to me via iMessage, I heard my phone so tried opening Messenger on the Macbook. Crash. Left it at that as I was busy anyway. Later he rang and asked if I'd opened the message. Oh great! I could sense him grinning, and I knew what had happened. The iPhone can show it, so no data detector or whatever is causing it there. I turned on the iMac and checked Messages, and it crashed as soon as I opened it. Thanks a lot brother-of-mine!

You should introduce your brother to the concept of corporal punishment. Or accidentally drop his phone into a bucket of water. Or something like that. And according to one US prosecutor, what he did is a federal crime punishable with up to five years in jail.

[KnightWRX]

Quote:

Originally Posted by chrfr

Regardless, this is a denial of service vulnerability that needs to be fixed.

I actually stated that earlier. Yes, this is a bug that can be successfully exploited to cause a DoS.

----------

Quote:

Originally Posted by Peace

How so ? Once the app crashes it can't be re-opened by any remote computer.

That's sort of how a DDOS works. You need to have the website open to work.

Once it's closed the DDOS is no longer useful.

DDOS = Distributed Denial of Service
DOS = Denial of Service.

The more you know.

This is a DoS bug. The user can be denied the service received by is application. Websites ? That has nothing to do with DoS.

[chrfr]

Quote:

Originally Posted by KnightWRX

I actually stated that earlier. Yes, this is a bug that can be successfully exploited to cause a DoS.

I've even done it myself a couple times by accident replying to threads. I hope this gets fixed soon.

[Peace]

Quote:

Originally Posted by KnightWRX

I actually stated that earlier. Yes, this is a bug that can be successfully exploited to cause a DoS.

----------



DDOS = Distributed Denial of Service
DOS = Denial of Service.

The more you know.

This is a DoS bug. The user can be denied the service received by is application. Websites ? That has nothing to do with DoS.

http://en.wikipedia.org/wiki/Denial_of_service

"In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1]
One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations."


--------

This bug is not a DOS.

[KnightWRX]

Quote:

Originally Posted by Peace

This bug is not a DOS.

Yes, even your wikipedia entry is clear :

Quote:

to make a machine or network resource unavailable to its intended users.

If I send you a iMessage with File:/// as the contents, your iMessage application will crash. It's thus unavaible to you.

This is a bug that can result in a DoS exploit if you want to be a nitpicker. Any crash bug is, since the exploit is simply triggering the crash condition, repeatedly if necessary.

[coolspot18]

Quote:

Originally Posted by LV426

It's not so many years ago when you could visit a website hosted on a Windows server, and type an address ending ::$DATA. Instead of the web page, you'd often get the source script that generates the page instead, sometimes complete with database user names and passwords if the programmer had been exceptionally careless. A hacker's friend indeed.

That was almost a decade ago ... And even by then, the majority of developers had already switched over to ASP.NET, only the most old-school, outdated, or under qualified programmers used classic ASP for their development.

In anycase, I'm surprised Apple hasn't been more proactive in launching a hot fix to patch the issue.

----------

Quote:

Originally Posted by gnasher729

You never heard of it on Windows. You never heard of it on a Mac before last week. And if you look at the crash dump, a programmer thought that his code _might_ be given a url that isn't a file url (always good to be careful), and got the test badly wrong. Bugs happen.

Yes, my point exactly, so I'm surprised it was not part of an automated test case (since it was a "known" test condition?)

[chrfr]

Quote:

Originally Posted by coolspot18

In anycase, I'm surprised Apple hasn't been more proactive in launching a hot fix to patch the issue.

Likely that it's because 10.8.3 is late in development, so it'll probably be rolled into that.

[Peace]

Quote:

Originally Posted by chrfr

Likely that it's because 10.8.3 is late in development, so it'll probably be rolled into that.

Well I know they are actively working on it. I got an email from engineers about it.

[manu chao]

Quote:

Originally Posted by KnightWRX

Yes, even your wikipedia entry is clear :



If I send you a iMessage with File:/// as the contents, your iMessage application will crash. It's thus unavaible to you.

This is a bug that can result in a DoS exploit if you want to be a nitpicker. Any crash bug is, since the exploit is simply triggering the crash condition, repeatedly if necessary.

The conventional meaning of DOS is that a resource hosted in some central location is made inaccessible for its normal users. If you consider everything that stops something from working to be a DOS any kind of sabotage would be a DOS. If I cut your electricity supply, or if I torch your house, it would be a DOS attack with your definition.

If I break the leg of your maid, I also deny you access to a service. Is this also a DOS attack?

[knapkin]

Quote:

Originally Posted by KnightWRX

It's probably a condition no programmer ever thought could happen.

IE, a protocol (file) that exists, but using a different case. Has anyone tried to replicate this with fIle:/// fiLe:/// or filE:/// ? This is probably related to some part of the framework doing case insentitive searches passing unmodified strings to a part of the framework doing case sensitive operations. Results in the "Found the protocol! try to do stuff... Can't do that on an unexisting protocol!".

The programmer probably thought : "protocol either is registered or not, anything else is an exception" with a nice "/* We should never get here */"

That was a very good insight! Those crashed my safari (somehow the quote function has not). I would guess you have guessed the bug (or did I miss the story that explains the problem).

[Tech198]

ok ok......I keep typing this is mail, which is annoying when i've just written a long message.. One solution is to surround it by ' '

FYI.. you know if you do this in Firefox, you see your own directory in your web browser ftp style

Tip :- You can disable this by going to System Preferences >> Language and Text , disabling both "Use symbol and text substitution" and "Correct spelling automatically" in the Text tab will prevent the bug from occurring (at a cost from not being able to spell correctly ....)

Doesn't work in all cases.

[KnightWRX]

Quote:

Originally Posted by knapkin

That was a very good insight! Those crashed my safari (somehow the quote function has not). I would guess you have guessed the bug (or did I miss the story that explains the problem).

No, I've been programming for quite a few years

[Tech198]

Whatever you do, do NOT do this as a Logon Message ;p. i just tryed this to 'see', and it constantly cycled the logon screen. . Yep. It worked, but now i'm locked out.


I have to restore.

Good idea though for revenge, or a present to somene on a new mac

[coolspot18]

Quote:

Originally Posted by Tech198

Whatever you do, do NOT do this as a Logon Message ;p. i just tryed this to 'see', and it constantly cycled the logon screen. . Yep. It worked, but now i'm locked out.

Great idea... let's try it at the Apple Store, perhaps that will get more attention for the bug and promote better code quality in OSX.