lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 19 Dec 2003 00:17:33 -0500
From: KF <dotslash@...soft.com>
To: bugtraq@...urityfocus.com
Subject: Re: Buffer overflow/privilege escalation in MacOS X - hfs.util also


The funny thing is that I have reported this to apple more than once if 
I remember correctly... first in 10.1 and recently in 10.3,  I have yet 
to hear back on the issue. As a side note apple has a no talky / no 
verify policy until the bug is fixed... they just keep you pretty much 
100% in the dark. Dave G finally talked some sense into me and I stopped 
trying to exploit the hole. I have spent many hours banging my head 
trying to figure out why things will not work out. I had been holding 
out for a response from apple but since this is now public info I'll 
probably jot down some public notes on what a pain it is. If any one is 
interested the code causing this issue it is located below.

*In earlier versions of OSX there is also hfs.util and it contains the 
same issue. hfs.util is no longer setuid in OSX 10.3*

http://web.mit.edu/afs/sipb.mit.edu/project/darwin/src/modules/isoutil/cd9660.util_main.m

...
char myRawDeviceName[256];
char myDeviceName[256];
...
/* Build our device name (full path), should end up with something like: */
/* /dev/disk1s2 */
strcpy( &myDeviceName[0], DEVICE_PREFIX );
strcat( &myDeviceName[0], argv[2] );
strcpy( &myRawDeviceName[0], RAW_DEVICE_PREFIX );
strcat( &myRawDeviceName[0], argv[2] );
...
/* call the appropriate routine to handle the given action argument 
after becoming root */
myActionPtr = &argv[1][1];
myError = seteuid( 0 );
switch( *myActionPtr ) {
...
exit (myError);

------------------- and the vulnerability in hfs.util that was not 
reported --------------------

http://www.mit.edu/afs/sipb/project/darwin/src/modules/hfs/hfs_util/hfsutil_main.c
...
char rawDeviceName[MAXPATHLEN];
char blockDeviceName[MAXPATHLEN];
/* -- Build our device name (full path), should end up with something 
like: -- "/dev/disk0s2" */
sprintf(rawDeviceName, "/dev/r%s", argv[2]);
sprintf(blockDeviceName, "/dev/%s", argv[2]);
...
exit(result);
-KF



Powered by blists - more mailing lists