Sunday, November 26, 2006

Notes on MOKB-26-11-2006: otool affected as well

MOKB-26-11-2006 also exposes a vulnerability in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 otool utility:

$ otool -f mach-o_bug_pagefault_univ_1
Fat headers
Segmentation fault

$ gdb /usr/bin/otool
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ... done

(gdb) r -d mach-o_bug_pagefault_univ_1
Starting program: /usr/bin/otool -d mach-o_bug_pagefault_univ_1
Reading symbols for shared libraries . done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00077000
0x00043585 in ?? ()
(gdb) bt
#0 0x00043585 in ?? ()
#1 0x00008598 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(gdb) info registers
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0x3ff3e 261950
esp 0xbffff850 0xbffff850
ebp 0xbffff858 0xbffff858
esi 0x76ff0 487408
edi 0x732 1842
eip 0x43585 0x43585
eflags 0x10246 66118
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) x/30x 0xbffff858
0xbffff858: 0xbffff8c8 0x00040118 0x0006e008 0x40000002
0xbffff868: 0x00000002 0xbffff8cc 0x00000000 0x00000002
0xbffff878: 0xbffff898 0x8fe0e25a 0x00000000 0x00000000
0xbffff888: 0x00000000 0x00000000 0x615f676e 0x00000002
0xbffff898: 0x00007373 0x79645f5f 0xffffffff 0xffffffff
0xbffff8a8: 0xffffffff 0xbebafeca 0x00000000 0x00000000
0xbffff8b8: 0x00000000 0x0003fddf 0x00000003 0xbffffc5e
0xbffff8c8: 0xbffff988 0x0003ff25

Mac OS X users and developers, beware (and be careful) about what you do with binaries. Especially when trying to analyze some "useless malware proof of concept"...