lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Dec 2003 00:17:33 -0500 From: KF <dotslash@...soft.com> To: bugtraq@...urityfocus.com Subject: Re: Buffer overflow/privilege escalation in MacOS X - hfs.util also The funny thing is that I have reported this to apple more than once if I remember correctly... first in 10.1 and recently in 10.3, I have yet to hear back on the issue. As a side note apple has a no talky / no verify policy until the bug is fixed... they just keep you pretty much 100% in the dark. Dave G finally talked some sense into me and I stopped trying to exploit the hole. I have spent many hours banging my head trying to figure out why things will not work out. I had been holding out for a response from apple but since this is now public info I'll probably jot down some public notes on what a pain it is. If any one is interested the code causing this issue it is located below. *In earlier versions of OSX there is also hfs.util and it contains the same issue. hfs.util is no longer setuid in OSX 10.3* http://web.mit.edu/afs/sipb.mit.edu/project/darwin/src/modules/isoutil/cd9660.util_main.m ... char myRawDeviceName[256]; char myDeviceName[256]; ... /* Build our device name (full path), should end up with something like: */ /* /dev/disk1s2 */ strcpy( &myDeviceName[0], DEVICE_PREFIX ); strcat( &myDeviceName[0], argv[2] ); strcpy( &myRawDeviceName[0], RAW_DEVICE_PREFIX ); strcat( &myRawDeviceName[0], argv[2] ); ... /* call the appropriate routine to handle the given action argument after becoming root */ myActionPtr = &argv[1][1]; myError = seteuid( 0 ); switch( *myActionPtr ) { ... exit (myError); ------------------- and the vulnerability in hfs.util that was not reported -------------------- http://www.mit.edu/afs/sipb/project/darwin/src/modules/hfs/hfs_util/hfsutil_main.c ... char rawDeviceName[MAXPATHLEN]; char blockDeviceName[MAXPATHLEN]; /* -- Build our device name (full path), should end up with something like: -- "/dev/disk0s2" */ sprintf(rawDeviceName, "/dev/r%s", argv[2]); sprintf(blockDeviceName, "/dev/%s", argv[2]); ... exit(result); -KF
Powered by blists - more mailing lists