Slashdot Mirror
Mac OS X Buffer Overflow Found
MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well. When you're on top, you make a tempting target.
From looking at the posting, I don't see any demonstration (or even any indication) that this is exploitable. What I see is that, if you put a goobered up CDROM in the drive (or use perl to simulate same)...
Yes, it might be possible to craft some clever exploit in the usual way, but that is by no means easy and is often impossible (depending mostly on what gets allocated around the buffer).
And if it is exploitable? Will we see a rash of strangers in London Fog coats trying to slip CDs into unsuspecting Macs? We already prevent that, since anyone who could do that could do anything they wanted anyway, up to and including installing an old copy of BeOS over OSX anyway.
-- MarkusQ
When you're on top, you make a tempting target.
I see, so you buy into the argument that MS is only targetted because it's so popular?
I'm always amazed at how fast Mac users will resort to MS-style tactics and excuses.
"Max" was definitely harsh, but he's not entirely out of line. cd9660.util *is* a SUID binary, and one would expect educated developers to take that into account and carefully validate any and all input. It's just what you *do* in a SUID program.
This type of attack is nothing new, and this vulnerability may be an indication that security isn't being taken seriously.
So... Darwin users/developers. Does this problem affect the open source Darwin? Just how many SUID binaries do you find on Darwin?
No exploits were mentioned.
...and no one bother....
Huh? How do you figure this? All he said was that parts of MacOSX that didn't come from BSD were not very well written. Whoopdeedoo - any operating system of that size will be likely to have some not so great code in it. It's beyond me how you managed to interpret Max's comment as an 'unfounded, sweeping statement' about the quality of MacOSX, given that 'parts' is a rather indeterminate quantity.
Blind, stupid fanaticism doesn't do anything to help Apple -- it just means that people ignore Mac fans.
MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well.
I've seen *tons* of vulnerability releases about companies that contain harsh criticism of their security policies. This is not unusual. At the least, Apple screwed up on an important utility. They can take their lumps, same as everyone else does when they screw up.
When you're on top, you make a tempting target.
Apple isn't "on top" of much of anything that I can think of. Small/midrage servers? That's Linux-dominated. Workstations? That's Windows-dominated. I suppose they have more users than the other BSD variants, for what that's worth.
Frankly, "Max" may be biased. I suspect that he's mostly right -- that the hammered-on and designed-by-folks-with-security-experience BSD code is more reliable than the new stuff Apple churned out. I do know that "MacDork" definitely *is* biased.
I wish editors would reject stories that are just blatently biased, or at least reserve the right to re-summarize story submissions.
May we never see th
Take this one for example, which many considered to be a "big security issue". Basically it only was a problem:
- On laptops.
- When someone had sudo running in Terminal.
- When the computer was put to sleep.
- For 10-20 SECONDS after the computer was woken up, but before the clock was updated, someone with physical access to the computer could execute code.
What a massive, gaping, goatse proportioned hole. Who knew it was a bad idea to leave your computer running sudo just laying around in Starbucks while you went to the can? And Apple still had a patch out in a week or two. And in 10.3, passwords can be required to wake the computer, further negiating this and any similar problems.Now compare that to the 50 critical security fixes needed immediately for an install of a year old Windows XP disk. And the fact that there are about a hundred different ways to execute code in Windows, either legitimate or malicious, all across the system, even in the damn web browser.
Basically what I'm getting at here is that this is newsworth simply for the fact that it really isn't. I'd be willing to bet 0 people will have any problem with this before it is patched.
And on a personal note, "Max" sounds pretty fucking stupid and ignorent. "It appears that parts of MacOSX that didn't come from BSD are not very well written and have significant security issues." Oh boy! I found a buffer overflow that will effect no one and that I probably didn't even bother to inform Apple about before hand! I'm a L337 haX0r bitches! Now if he just would have thrown in something about how Apple is beleaguered and BSD is dying, we could just chaulk up "Max" as a lucky troll.
Request: ECM unit, 1000 km fullerene cable, 1 tactical nuclear weapon. Reason: Birthday party for foreign dignitary.
Pudge, you have to realize that Apple has no experience when it comes to the world of Unix security. MacOS (=9) hasn't traditionally been the target of as much scrutiny, and it doesn't have things like SUID binaries that will turn a simple bug into a security problem. Apple needs to play catchup for a while.
-molo
Using your sig line to advertise for friends is lame.
Look at you. Trying to reason with Pudge. Blaming him for rporitng on Apple's inexcusable failure.
Dude, they have fucking Jordan Hubbard, the father of FreeBSD working there. There is not one tiny iota of a bit of an excuse for this. Not one. Its pathetic you defend them.
Apple needs to play catchup? What are you talking about. They've always had to. They've always had a decreasing market share. Part of this has to do with this brilliant/stupid person Steve Jobs/Jobs Steve is. He is intelligent but woefully incomplete at the same time, saying both intelligent and utterly stupid and outrageous things at the same time.
Put it to you tihs way: You pay for Steve Job's jet in ridiculous hardware premiums for inferior hardware. While Jordan Hubbard, the brains of the operation, gets peanuts. I'm sure Jordan's asked 1000 times for more real resources and less arts students designing stupid fake switch commercials and deformed speakers and brushed metal cases Lian Li and others had fo PCs millenia ago.
So OS X cant be wrong. Not even with Darwin as a staging ground Not even with the father of FreeBSD on board? Lets face it the error was out of hand. No excuses.
Unfortunately, when OSX becomes popular enough, it will become a huge security target. But it won't be security exploits that pose a problem, it will be the same problems that plague Windows today:
.exe to see boobies." No type of security can possibly stop that type of human behavior (being an IT I'm convinced that education, warnings, and even threats can't stop it).
Just like in the Windows world, it's social engineering that causes installation and execution of quasi-legal applications like Comet Cursor and Bonsai Buddy, as well as downright unethical and illegal programs (virus and worms) that get installed when a user is told "click on the
_______
2B1ASK1
Reaction to bug/vunerablity/error reports: Windows User: Ahhh crap another bug/vunerablity/error how long shall I have to wait till that gets patched Linux User: Ahhh crap another bug/vunerablity/error better get the patch Mac OS User: What bug/vunerablity/error? There have never been any bugs/vunerablities/errors in Mac OS. Mac OS bugs/vunerablities/errors are just Windows propoganda. The bugs/vunerablities/errors are throwing themselves against the city walls. We are killing them!
Warning! This post may contain a pun!
It's kindergarten defensive coding: anyone with even less than half a brain does not use strcat without first being DAMN sure the destination's got enough room.
This is a beginner's mistake, aka Microsoft Mistake.
I have MacOS 10.3.1 and tried cut-and-pasting his command line and got the Segmentation fault, but no root prompt. Perhaps Max is using an older version of the OS?
Ouch! The truth hurts!
I have Mac OS X 10.2.8 (Jaguar) and I wasn't able to reproduce the behaviour described in Max's security post. It *does* throw a segmentation fault, but nothing happens afterwards. Neither it writes a core dump file, nor does it give any root privileges. Did someone with an older system try that? I can't find any confirmations that the issue exists. Thanks.
"When you're on top, you make a tempting target." I beleve it was ment as a sarcastic pun. After the recent plaming from other articles sayin that mac os x would have more holes found in it 'if' it were on top. This is s prity hard to exploit bug though. "Persuming" that u can execute malitious code think of the steps you would have to go through to get to actuallly execute the buged program? If by the time you can execute command line argument's then the OS is in trouble cause ne thing can be done. It doesnt seem likely that a hacker would gain acces to your computer just to run a buggy program that "may" or "may not" give them more access to your computer. It seems to me that all the mac bug's are hard to exploit as apposed to something like blaster and it's variants. Written on Windows XP BTW. Patched and fealing safe. Hardware router u know people :)
While some people waste their time ranting about Max's comment on the quality of some non-BSD parts of OS X, about whether this is a serious exploit (hint: it is) or whether it is newsworthy (it is, too), does anybody has a fix to propose besides removing the setuid bit (which, according to my quick and totally inconclusive test, serves no purpose) ?
Maybe we deserve this world ?
Even OpenBSD has local root exploits, and they have been fixing them for years. A local exploit could be used to load a root program that listens on the network, so you fix it.
I've seen lots of security advisories make fun of or insult the product and company in question. Big deal, a programmer skilled enough to find a buffer overflow makes fun of Steve Jobs' product. Mr. Jobs can afford a gold thread hanky to wipe his tears, but more likely it just rolls off their backs; people have been making fun of Apple for decades.
In general, it is hard to program an OS, and once it is out there, easier to poke holes in it. That is why security is difficult. Fix the problem, review your code for similar problems, fix those, move on.
Why didn't this make the front page? It would have if it were a MS exploit. This is most likely a viable exploit, although you need a user account or physical access to the computer.
The error lies in the cd9660.util_main.m file from the isoutil package, specifically, right in the start of the main function:
/* Build our device name (full path), should end up with something like: */
/* /dev/disk1s2 */
if ( (myError = DoVerifyArgs( argc, argv, &mnt_flag )) != 0 )
goto AllDone;
strcpy( &myDeviceName[0], DEVICE_PREFIX );
strcat( &myDeviceName[0], argv[2] );
The strcat function fails with the huge devicename. DoVerifyArgs should check the length of argv[2] to be under 255 characters, but it only checks if it is longer than 2 characters:
/* Make sure device (argv[2]) is something reasonable */
myDeviceLength = strlen( argv[2] );
if ( myDeviceLength < 2 )
{
goto ExitThisRoutine;
}
I'll make a quick fix and test it.
Maybe we deserve this world ?
Get the fix with source code here, just double-click the install.sh script, it will make, copy and setuid the file at the correct location. Somebody please test and review this !
Maybe we deserve this world ?
Right on. This is a classic overflow, and there is nothing magic about OS X that will make it hard to exploit.
While I agree as OSX becomes more popular it becomes a bigger target, the enter password dialog that acompanies each installation makes people think a little before installing things.
It doesn't solve it completely but helps.
Apple will just post a fix for it in Jan. if they've been already told about it. They have new OS update coming this week so it could include a fix for this issue as well if it's an easy fix.
The change is in the DoVerifyArgs function, from:
// Added check for lengths of myDeviceName over 255 chars; 16/12/2003 Namu
myDeviceLength = strlen( argv[2] );
if ( myDeviceLength < 2 )
{
goto ExitThisRoutine;
}
to:
myDeviceLength = strlen( argv[2] );
if (( myDeviceLength < 2 ) || (myDeviceLength > 255))
{
goto ExitThisRoutine;
}
The tar.gz archive is just the same as the one from OpenDarwin, except for the fix in the code and the install.sh shell script that makes the utility, installs it under sudo, setuid's it and then cleans.
Maybe we deserve this world ?
I had heard some suggestions that G5s didn't allow NOPs to overwrite their null bytes with random data. It seemed that the motorolla behavior for this was a bug to begin with, since those flags are reserved for future meaning, and as such the instruction is different if they are set.
:)
Does anyone know if these eggs fly on a G5? Here is a perfect chance to test!
Slashdot. It's Not For Common Sense
Seriously, I'm not sure how causing a segv in cdrom driver creates a security hole.
Care to elaborate?
Clear, Dark Skies
"Flamebait?" It's the honest truth, and I speak from the experience of a Mac user. Mac users are still accustomed to software that requires an installer instead of simply rejecting anything that doesn't come as a single bundle that you drop into the Applications folder. Every installer I've ever seen pretty much requires you to give it admin privileges to run.
So, spyware for the Mac is inevitible if it ever gets enough marketshare for everyone to care. It's inevitable even if we just have to wait for some marketer to think we're a worthwhile niche market.
He's right. The ultimate hacks are always social hacks. Getting idiots to install malware on their own systems is much, much easier than writing exploit code.
Hey,
I do not have a G5, nor do I know anyone with a G5. So I cannot test this, but I've heard some of my security-friends (like the super friends, only ugly, fat, and obnoxious instead of ugly, healthy and obnoxious) that the G5's don't allow the NOP's with non-0 flags.
This is probably the proper behavior. I'm convinced that Motorolla's acceptance of these facts was a bug, not a feature.
Could you test it and find out? I'm really curious.
Slashdot. It's Not For Common Sense
Could you please explain a bit what "NUL-less" code is and how one gets it executed and how one computes offset for the return stack?
this is sort of breath taking that it could be fixed like that fast.
It seems that the cd9660.util allows you to mount your CD to any location. This means that an attacker could insert a malicious CD into the drive, umount /Volumes/CD and remount the CD eg. at /var/cron/tabs allowing the attacker to "change" system critical files or fake any directory in the filesystem. This will result in system compromise.
This cd9660.util does look a bit suspicious, and I recommend that on computers where local compromise is an issue, you could think of removing the set-uid bit until a fix is issued by Apple. This propably will cause some errors when inserting CDs. I'm investigating this further...
PS. As the cd9660.util calls mount_cd9660 it isn't possible to mount files, so unless there is physical local access to the machine, it shouldn't be very easy to exploit.
I demand the Cone of Silence!
argv[2] gets strcat-ted with DEVICE_PREFIX:
// Added check for lengths of myDeviceName over 255 chars; 16/12/2003 Namu
DEVICE_PREFIX = "/dev/"
strcpy( &myDeviceName[0], DEVICE_PREFIX );
strcat( &myDeviceName[0], argv[2] );
and myDeviceName is declared as a 0..255 array.
So the right check should be:
myDeviceLength > 250
Even worse, there's the following code after the strcpy-strcat couple:
strcpy( &myRawDeviceName[0], RAW_DEVICE_PREFIX );
strcat( &myRawDeviceName[0], argv[2] );
and
RAW_DEVICE_PREFIX = "/dev/r"
myDeviceLenght should not be more than 249 character long.
So the right code should be:
myDeviceLength = strlen( argv[2] );
if (( myDeviceLength < 2 ) || (myDeviceLength > 249))
{
goto ExitThisRoutine;
}
Do you see a patch for that root-granting DHCP issue? Neither do I.
2+ months after notification isn't very timely.
That's all we need here, is an increase in Ask Slashdots. "Dead Slashdot, I need to plug in Christmas lights but the plug won't reach and I don't want to use a wireless device nor would I like to use an extension cord. Help me please."
I found ANOTHER security flaw in OS X. It turns out that if I leave my password laying around, someone might actually pick it up and log on under my user name when I'm not around! The security folks at Apple are not doing their job.
Shake was on your list of programs, but is available on Linux. It just isn't free: Just a minor correction.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
A buffer overflow is a bug. While all
exploitable defects allowing unauthorized
priviledge escalation are bugs, not all bugs
are defects which can be exploited to effect
unauthorized priviledge escalation.
-I like my women like I like my tea: green-
...because there is no need for a patch. Just open Directory Access and uncheck a box. If you insist for running a patch you might be able to make the process into an AppleScript.
Happy ?
Maybe we deserve this world ?
Boobies!
Gotta love 'em!
I like MacOS X, it's a great system. But how does somewhere about last in the small server market, 3rd in the desktop, and nonexistant in the embedded or high end server or mainframe put it on top?
About 15 years ago, I ran into a problem with strcat stomping all over my variables, and I thought, 'hunh, why didn't I use strncat instead?' And so I used strncat, and have every single time for every program I've ever written since then. And, aside from one time when I accidentally made the array size 2 instead of size 20, I haven't had that particular problem again.
I can imagine if someone were doing a major profiling job, and strcat were 10x faster than strncat and were inside the inner loop of the bottleneck, he might want to use strcat. But in that case, it implies enough attention to the actual code that he'd presumably know how to check for overflows beforehand.
But aside from that, why in the world would anyone with half a brain use strcat when strncat is available? Really... I'm asking. Is there actually some reason?
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
Power search not working on iTunes music store. Its all falling apart...
Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well.
MacDork, you really are a dork all right. The guy hardly says a word. What are you - a PFY? a wimp?
Enough of this sniveling nonsense.
The reason there are so many viruses and exploits for Windows is because Microsoft makes it so easy for them to spread. Typical Outlook email virus? You click on the email from your friend, click on the attachment that he sent you, and its automatically opened and executed, typically as an Administrator. The really bad ones, you wouldn't even have to open the attachment to activate it; just previewing the message is enough.
Contrast that to Apple, where you click on the attachment, download it, then have to open the attachment, and then enter your password for it to run as root. Thats another two steps (a big one with asking the password) that a virus has to take before being executed. The more steps a worm or cracker has to go through to get into your system, the more the chance of a successful attempt will drop.
Sure, there will always be social engineering, but Microsoft makes it so easy while Apple actually makes you work for it.
Eh, just because you can work around an exploit, that you can cover it up and disable it, doesn't mean it shouldn't be fixed. I think it's kinda weak to think that this is okay, no offence..
- It's not the Macs I hate. It's Digg users. -