Slashdot Mirror
Mac OS X Buffer Overflow Found
MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well. When you're on top, you make a tempting target.
From looking at the posting, I don't see any demonstration (or even any indication) that this is exploitable. What I see is that, if you put a goobered up CDROM in the drive (or use perl to simulate same)...
Yes, it might be possible to craft some clever exploit in the usual way, but that is by no means easy and is often impossible (depending mostly on what gets allocated around the buffer).
And if it is exploitable? Will we see a rash of strangers in London Fog coats trying to slip CDs into unsuspecting Macs? We already prevent that, since anyone who could do that could do anything they wanted anyway, up to and including installing an old copy of BeOS over OSX anyway.
-- MarkusQ
When you're on top, you make a tempting target.
I see, so you buy into the argument that MS is only targetted because it's so popular?
I'm always amazed at how fast Mac users will resort to MS-style tactics and excuses.
"Max" was definitely harsh, but he's not entirely out of line. cd9660.util *is* a SUID binary, and one would expect educated developers to take that into account and carefully validate any and all input. It's just what you *do* in a SUID program.
This type of attack is nothing new, and this vulnerability may be an indication that security isn't being taken seriously.
So... Darwin users/developers. Does this problem affect the open source Darwin? Just how many SUID binaries do you find on Darwin?
Pudge, you have to realize that Apple has no experience when it comes to the world of Unix security. MacOS (=9) hasn't traditionally been the target of as much scrutiny, and it doesn't have things like SUID binaries that will turn a simple bug into a security problem. Apple needs to play catchup for a while.
-molo
Using your sig line to advertise for friends is lame.
I wish editors would reject stories that are just blatently biased, or at least reserve the right to re-summarize story submissions.
You've got me, I'm definitely biased. I think Apple is the greatest thing since sliced bread.
However, on the note of editorializing, who says they don't? My submission was exactly like my post except it used the 'monkey boy dance' line rather than 'wet dreams' line. I felt it was more appropriate for a general /. crowd :-) For the record, I have also posted this to bugreporter.apple.com just in case they were in the dark about it.
I had heard some suggestions that G5s didn't allow NOPs to overwrite their null bytes with random data. It seemed that the motorolla behavior for this was a bug to begin with, since those flags are reserved for future meaning, and as such the instruction is different if they are set.
:)
Does anyone know if these eggs fly on a G5? Here is a perfect chance to test!
Slashdot. It's Not For Common Sense
I have to say thank-you for finding that, although of course now you've wasted the afternoon I just spent building a shellcode to exploit the bug :-) (With a 520 byte argument the return address is at 479 bytes through the argument!)
/System/Library/Filesystems/*/*.util this is the only one that is setuid). This is fortunate because of the seond observation, which is that a cursory inspection reveals that other of these programs are also vulnerable (ufs.util needs a rather longer string but gives a segmentation fault with ufs.fs/ufs.util -p `perl -e "print 'A'x6750;"`).
A couple of things are worth noting about this bug. Firstly, it appears that the utiliy gets run by some other setuid process so the program didn't need to be setuid in the first place (looking at the files
It might be useful if someone were to trawl through the other related utilities to see if there are any more unchecked string copies. I didn't find he source to all these utilities but the msdos_util seems to have some unchecked sprintf() calls. While these are probably not security critical because hopefully the root process that calls them can't be fooled into passing bad arguments it's still indicative of a lack of care in programming.
If intelligent life is too complex to evolve on its own, who designed God?
Hey,
I do not have a G5, nor do I know anyone with a G5. So I cannot test this, but I've heard some of my security-friends (like the super friends, only ugly, fat, and obnoxious instead of ugly, healthy and obnoxious) that the G5's don't allow the NOP's with non-0 flags.
This is probably the proper behavior. I'm convinced that Motorolla's acceptance of these facts was a bug, not a feature.
Could you test it and find out? I'm really curious.
Slashdot. It's Not For Common Sense
No. Unless your definition of "remotely exploitable" includes the words "already has a shell account on the system". My definition doesn't.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Certainly this makes the OS a bigger target for fanboys of other operating systems trying to be the first to "prove" that Macs are somehow equally insecure.
...because there is no need for a patch. Just open Directory Access and uncheck a box. If you insist for running a patch you might be able to make the process into an AppleScript.
Happy ?
Maybe we deserve this world ?
3rd in the desktop? behind windows and what?