MacOS X 10.9.5 Kernel heap-based buffer overflow

2014.11.08
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Impact: A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution Description: A heap-based buffer overflow issue existed in the handling of HFS resource forks. A maliciously crafted filesystem may cause an unexpected system shutdown or arbitrary code execution with kernel privileges. The issue was addressed through improved bounds checking. MACOS X 10.9 CODE http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c ================= /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <=============== "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } ================= MACOS X 10.10 CODE http://opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/hfs/hfs_vnops.c ================= /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <====================== "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); // Should never happen because cn.cn_nameptr won't ever be long... <=============== if (cn.cn_namelen >= MAXPATHLEN) { <================================== FREE_ZONE(cn.cn_pnbuf, cn.cn_pnlen, M_NAMEI); return ENAMETOOLONG; } } ================= funny comment Vulnerability discovered by tool cifrex.org for static code analysis More: http://cxsecurity.com/issue/WLB-2014040027

References:

http://cxsecurity.com/issue/WLB-2014040027
http://support.apple.com/en-us/HT6535
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c
http://opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/hfs/hfs_vnops.c
http://cifrex.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top