This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Type: text/plain; x-mac-type="54455854"; x-mac-creator="74657874";
DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
Author: Kevin Finisterre
Product: 'iLife 06 (?)'
Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, and cooler than
ever before. It adds eye-opening features to the ones you already love, including Photocasting,
support for up to 250,000 photos, easy publishing to the web, special effects, and new custom
cards and calendars. In essence iPhoto lets you spread smiles far and wide.
As easily as you can create a new photo album you can share it with friends and family thousands
of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to share albums with
anyone, anywhere. Say you have new photos of little Johny Pwnerseed. Place the photos you'd like
to share in an album called "Johny Pwnerseed's Latest Pics.", then click "Photocast this Album".
iPhoto publishes the album, and others can subscribe to it by clicking a link in an email you
But here's where the real fun begins. If you create a malformed XML file you can simulate the
photocasting functionality in iPhoto 6 and use it to trigger a format string vulnerability. Once
Aunt Sophia subscribes, the fake photos feed is automatically download into a "Johny Pwnerseed's
Latest Pics" album that instantly triggers a format string write via %n.
We're talking beautiful, full-res pwnage. Aunt Sophia is pretty much screwed if you are able to
properly format your payload.