Mac OS X Buffer Overflow Found

← Back to Stories (view on slashdot.org)

Mac OS X Buffer Overflow Found

Posted by ryuzaki0 on Monday December 15, 2003 @06:17PM from the and-so-it-begins dept.

MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well. When you're on top, you make a tempting target.

4 of 161 comments (clear)

Min score:

Reason:

Sort:

Looks low risk to me... by MarkusQ · 2003-12-15 18:36 · Score: 5, Interesting

From looking at the posting, I don't see any demonstration (or even any indication) that this is exploitable. What I see is that, if you put a goobered up CDROM in the drive (or use perl to simulate same)...
...it won't work.
Yes, it might be possible to craft some clever exploit in the usual way, but that is by no means easy and is often impossible (depending mostly on what gets allocated around the buffer).
And if it is exploitable? Will we see a rash of strangers in London Fog coats trying to slip CDs into unsuspecting Macs? We already prevent that, since anyone who could do that could do anything they wanted anyway, up to and including installing an old copy of BeOS over OSX anyway.
-- MarkusQ
1. Re:Looks low risk to me... by ag0ny · 2003-12-15 18:46 · Score: 5, Interesting
  
  And if it is exploitable? Will we see a rash of strangers in London Fog coats trying to slip CDs into unsuspecting Macs? We already prevent that, since anyone who could do that could do anything they wanted anyway, up to and including installing an old copy of BeOS over OSX anyway.
  
  That's not the way it works. The problem is a typical input validation problem in a setuid root binary. You don't need a CD. In fact, you don't even need physical access to the computer.
  
  This is a privilege scalation vulnerability. If exploitable, this means that someone with non-superuser access to the computer could exploit the (as of yet unconfirmed) vulnerabilty in this binary to gain superuser privileges.
  
  You must take into account that you don't need to be a local user in order to run this program. Some other vulnerability or misconfiguration can be used first in order to run an exploit against the cd9660.util binary.
  
  --
  My site
2. Re:Looks low risk to me... by You're+All+Wrong · 2003-12-16 00:01 · Score: 5, Interesting
  
  "I don't see any demonstration (or even any indication) that this is exploitable."
  
  Then what the fuck is "#2 0x41414141 in ?? ()"?
  
  To me, that looks like user data in the stack frame.
  To me, that means that an arbitrary jump can be executed.
  To me, that means that arbitrary NUL-less code can be executed.
  
  And the chances of there existing NUL-less BSD PPC shell-code are what, you ask?
  
  Here's your answer -
  0x7CC63278, 0x2F867FFF, 0x41BC005C, 0x7C6802A6,
  0xB0C3FFF9, 0xB0C3FFF1, 0x38867FF0, 0x38A67FF4,
  0x38E67FF3, 0x7CA52278, 0x7CE72278, 0x7C853A14,
  0x7CC419AE, 0x7C8429D6, 0x7C842214, 0x7C043A14,
  0x7CE72850, 0x7C852A14, 0x7C63212E, 0x7C832214,
  0x7CC5212E, 0x7CA52A78, 0x44FFFF02, 0x7CE03B78,
  0x44FFFF02, 0x4BFFFFA9, 0x2F62696E, 0x2F73685A,
  0xFFFFFFFF, 0xFFFFFFFF
  
  All someone's got to do is calculate the offset for the overwritten return stack to contain such that it calls the above code. That could be calculated with just 2 more probes with perl - use 'abcdefghijklmnopqrstuvwxyz' x 20 and 'abcdefghijklmnopqrstuvwxyz123456789' x 16
  and tell me the values read off the stack.
  
  If anything you should be thankful that 'Max' didn't publish real live exploit code, as then the script kiddies would be doing their best to run it already. At least this way they need to still fill in the gaps. Gaps that unfortunately I've just had to explain on a very public forum because a Mac user had his head in the clouds.
  
  YAW.
  
  --
  Your head of state is a corrupt weasel, I hope you're happy.
Harsh, but not incorrect by MSG · 2003-12-15 18:46 · Score: 5, Interesting

"Max" was definitely harsh, but he's not entirely out of line. cd9660.util *is* a SUID binary, and one would expect educated developers to take that into account and carefully validate any and all input. It's just what you *do* in a SUID program.

This type of attack is nothing new, and this vulnerability may be an indication that security isn't being taken seriously.

So... Darwin users/developers. Does this problem affect the open source Darwin? Just how many SUID binaries do you find on Darwin?