CVE-2015-3783

Vulnerability

SceneKit in Apple OS X before 10.10.5 contains a heap buffer overflow in the daeElement::setElementName() function. The function allocates a fixed 128-byte buffer for element names but uses strcpy without bounds checking, allowing an attacker to overflow the heap by supplying a DAE (Collada) file with an element name longer than 128 characters. This affects OS X Yosemite v10.10 to v10.10.4 and OS X Mavericks v10.9.5 (as per the advisory). [1][2]

Exploitation

An attacker can trigger the overflow by crafting a DAE file with an oversized element name and delivering it to a target, e.g., via a web page or email attachment. The vulnerability is reachable through Quick Look (qlmanage) when previewing the file. No authentication is required; user interaction is limited to opening or previewing the malicious file. The exploit-db entry provides a proof-of-concept using qlmanage with libgmalloc to demonstrate the crash. [2]

Impact

Successful exploitation leads to memory corruption, which can be leveraged for arbitrary code execution in the context of the SceneKit process, or cause a denial of service via application crash. The attacker gains the ability to execute arbitrary code with the privileges of the user running the application. [1][2]

Mitigation

Apple addressed this vulnerability in OS X Yosemite v10.10.5 and Security Update 2015-006, released on August 13, 2015. Users should update to the latest version. No workarounds are documented. [1]