-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Mac OS X AppleTalk AIOCSETZNUSAGE IOCTL Kernel Stack Overflow Advisory ID: TKADV2007-003 Revision: 1.0 Release Date: 2008/03/01 Last Modified: 2008/03/01 Date Reported: 2007/07/16 Author: Tobias Klein (tk at trapkit.de) Affected Software: Mac OS X xnu kernel <= version 8.10.1 (xnu-792.22.5~1) Mac OS X v10.4 through v10.4.10, Mac OS X Server v10.4 through v10.4.10 Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.apple.com Vendor Status: Vendor has released an updated version CVE-ID: CVE-2007-4267 Patch development time: 99 days ====================== Vulnerability details: ====================== The xnu kernel of Mac OS X contains a vulnerability in the code that handles AIOCSETZNUSAGE IOCTL requests. Exploitation of this vulnerability can result in: 1) local execution of arbitrary code at the kernel level (complete system compromise), or 2) local denial of service attacks (system crash due to a kernel panic) The issue can be triggered by sending a specially crafted IOCTL request. ============== Prerequisites: ============== In order to exploit this vulnerability, the system needs to have AppleTalk configured in routing mode. No special user rights are necessary to exploit the vulnerability. ====================== Technical description: ====================== The following source code references are based on the kernel source code available from: http://www.opensource.apple.com/darwinsource/tarballs/apsl/xnu-792.18.15.tar.gz File "bsd/netat/at.c": [...] 310 case AIOCSETZNUSAGE: 311 if (!(at_state.flags & AT_ST_STARTED) || !ifID_home) 312 return(ENOTREADY); 313 314 if (!ROUTING_MODE) 315 return(EINVAL); 316 317 return(set_zones((zone_usage_t *)data)); <-- (1) 318 319 break; [...] In line 317 the user controlled IOCTL data of AIOCSETZNUSAGE gets casted as zone_usage_t data and then passed to the set_zones() function (see (1)). The zone_usage_t struct looks as following: File "bsd/netat/at_var.h": [...] 109 typedef struct zone_usage { 110 int zone_index; /* index in local_zones */ 111 at_nvestr_t zone_name; /* the zone name & len */ 112 int zone_home; /* used only to set zones in 113 router mode */ 114 at_ifnames_t zone_iflist; /* list of interfaces for 115 this zone. */ 116 char usage[IF_TOTAL_MAX]; /* I/F usage (set if 117 I/F in this zone) */ 118 } zone_usage_t; [...] The at_nvestr_t struct used within zone_usage_t (see line 111) looks as following: File "bsd/netat/appletalk.h": [...] 234 #define NBP_NVE_STR_SIZE 32 /* Maximum NBP tuple string size */ 235 typedef struct at_nvestr { 236 u_char len; 237 u_char str[NBP_NVE_STR_SIZE]; 238 } at_nvestr_t; [...] The user controlled IOCTL data is now further processed in the set_zones() function (see the code snippet below). File "bsd/netat/at.c": [...] 79 /* called only in router mode */ 80 static int set_zones(zone_usage_t *ifz) 81 82 /* 1. adds zone to table 83 2. looks up each route entry from zone list 84 3. sets zone bit in each route entry 85 86 returns 0 if successful 87 errno if error occurred 88 */ 89 { 90 int i; 91 at_ifaddr_t *ifID; 92 short zno; 93 RT_entry *rte; 94 95 zno = zt_add_zone(ifz->zone_name.str, ifz->zone_name.len); <-- (2) [...] The user controlled data is used as arguments for another function called zt_add_zone() (see (2)). This function looks as following: File "bsd/netat/ddp_rtmptable.c": [...] 478 /* 479 * zt_add_zone: add a zone name in the zone table. 480 */ 481 482 zt_add_zone(name, length) 483 char *name; 484 short length; 485 { 486 at_nvestr_t zname; 487 bcopy(name, &zname.str, length); <-- (3) 488 zname.len = length; 489 return (zt_add_zonename(&zname)); 490 } [...] The user controlled data is now used as arguments for the bcopy() function (see (3)). Both, the source as well as the length of the data that gets written into zname.str can be controlled by the user. As zname is a struct of the type at_nvestr_t the size of zname.str is 32 bytes (see the definition of at_nvestr_t above). This copy operation leads to an exploitable stack overflow. ================= Proof of Concept: ================= Due to the severity of this issue no proof of concept exploit code will be released. ========= Solution: ========= Upgrade to Mac OS X (Server) v10.4.11 or apply the Security Update 2007-008. http://www.apple.com/support/downloads/ ======== History: ======== 2007/07/16 - iDefense VCP notified 2007/08/08 - Initial vendor notification by iDefense 2007/08/09 - Initial vendor response to iDefense 2007/11/14 - Coordinated public disclosure by iDefense 2008/03/01 - Full technical description released ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 [2] http://docs.info.apple.com/article.html?artnum=307041 [3] http://www.trapkit.de/advisories/TKADV2007-003.txt ======== Changes: ======== Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBR8kw7pF8YHACG4RBEQIOogCgvsyVyGi2CaUtbYw3d+nWdCXKZhsAoK91 bpwgiq/z/Rrh37NqkTKCHG/M =oljE -----END PGP SIGNATURE-----