=================================================================== Mac OS X WebDAV kernel extension local denial-of-service July 26, 2010 CVE-2010-1794 =================================================================== ==Description== "Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol that allows computer users to edit and manage files collaboratively on remote World Wide Web servers." [1] Mac OS X supports WebDAV shares natively as a filesystem, implemented as a kernel extension. Local users can mount WebDAV shares using the "mount_webdav" utility included in most default installations. The WebDAV kernel extension is vulnerable to a denial-of-service issue that allows a local unprivileged user to trigger a kernel panic due to a memory overallocation. This vulnerability has been verified with proof-of-concept code. The vulnerable code is in the webdav_mount() function, and reads as: MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen, M_TEMP, M_WAITOK); "args" is a user-controlled struct provided as an argument to a request to mount a WebDAV share, and there is no checking of the "pa_socket_namelen" field. If a user were to issue a mount request with a very large value for this field, this will trigger a kernel panic, since in BSD-based kernels (such as XNU), MALLOC() with M_WAITOK will result in a panic when the requested memory cannot be allocated. ==Notes on Disclosure== My disclosure of this issue prior to an official fix is not meant to be taken as a statement against Apple's management of security issues. Local denial-of-service issues are by nature low impact - many security teams do not regard these as security-relevant at all. I believe the chances of exploitation of this in real life are practically non-existent. Given that the vulnerability resides in an open source kernel extension, I chose to disclose this issue so that concerned administrators can apply a fix immediately, while the rest of us can benefit from a little increased awareness of potentially unsafe memory allocation situations. Apple's security team was contacted prior to disclosure, and I'm sure they'll incorporate a fix in a future release. ==Solution== The WebDAV kernel extension can be obtained online [2]. The following patch can be applied to this extension, after which it should be recompiled to replace the existing extension at /System/Library/Extensions/webdav_fs.kext: --- webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c 2010-07-21 09:51:09.000000000 -0400 +++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c 2010-07-21 10:32:43.000000000 -0400 @@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp } /* Get the server sockaddr from the args */ + if(args.pa_socket_namelen > NAME_MAX) + { + error = EINVAL; + goto bad; + } + MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen, M_TEMP, M_WAITOK); error = copyin(args.pa_socket_name, fmp->pm_socket_name, args.pa_socket_namelen); if (error) ==Credits== This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg (at) gmail (dot) com [email concealed]). ==References== CVE identifier CVE-2010-1794 has been assigned to this issue by Apple. [1] http://en.wikipedia.org/wiki/WebDAV [2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextp roj/webdav_fs.kmodproj/