Local DOS in MacOS X

[Gustaf Josefsson <gustaf () krul cjb net>]

Hello.
About 6 month I found a security hole in all versions of MacOS X, 
making it vulnerable to a local dos attack. I've experimented a bit and 
found nothing fun to do with it except bringing the computer down. Now 
I just feel I've sat on this shit to long, so here goes:

There is something wrong in the way that the system handles arguments 
to MacOS applications from the commandline. The same thing happens with 
all applications that comes with the default installation and all 
others that I've tried.
If i do:

[Gaz:~] gustaf% Applications/TextEdit.app/Contents/MacOS/TextEdit `perl 
-e"print 'a' x 100000"`
Word too long.

The terminal hangs. This is csh crashing and doesn't do anything to the 
rest of the system.
If i start bash and do the same thing I get:

bash: /Applications/TextEdit.app/Contents/MacOS/TextEdit: Argument list 
too long

Now. If i do the same thing with 50000 a's instead, the program 
TextEdit will start up (or i will get a no-windowserver-error if done 
through ssh).
If I narrow it down by guessing I will find a single number where, 
instead of starting TextEdit or saying "too long", the terminal will 
hang. So will the rest of the system. Stone dead. Nothing in the logs. 
No telling why.
This "magic" number of bytes that crashes the system is found somewhere 
between 50000 and 70000 depending on which program you use to exploit 
and just plain coincidence.

I've tested on OS X 10.0.4, 10.1.5 and 10.2.2 on 4 different computers. 
I've done it through Terminal, >console and via ssh. Same result 
everytime.

That's it folks. Sorry for not submitting a better bugreport.

Gustaf Josefsson
Independent OS X geek