Showing posts with label macosx. Show all posts
Showing posts with label macosx. Show all posts

Thursday, November 30, 2006

MOKB-30-11-2006: Apple Airport Extreme Beacon Frame Denial of Service

Apple Airport Extreme driver fails to handle certain beacon frames, leading to an out of bounds memory access, resulting in a so-called kernel panic. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security implications may exist, although this hasn't been verified and no details can be provided until furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r research is done. This issue is being coordinated with Apple, and under common agreement it's been decided to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details private until a fix has been made available to end-users.

Tuesday, November 28, 2006

MOKB-28-11-2006: Mac OS X shared_region_make_private_np() Memory Corruption

Mac OS X shared_region_make_private_np() system call fails to handle crafted user input, leading to an exploitable memory corruption condition. Unprivileged local users can abuse this issue in order to escalate privileges (via arbitrary code execution) or cause a denial of service.

Monday, November 27, 2006

MOKB-27-11-2006: Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption

Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AIOCREGLOCALZN ioctl command.

Sunday, November 26, 2006

Notes on MOKB-26-11-2006: otool affected as well

MOKB-26-11-2006 also exposes a vulnerability in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 otool utility:

$ otool -f mach-o_bug_pagefault_univ_1
Fat headers
Segmentation fault

$ gdb /usr/bin/otool
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ... done

(gdb) r -d mach-o_bug_pagefault_univ_1
Starting program: /usr/bin/otool -d mach-o_bug_pagefault_univ_1
Reading symbols for shared libraries . done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00077000
0x00043585 in ?? ()
(gdb) bt
#0 0x00043585 in ?? ()
#1 0x00008598 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(gdb) info registers
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0x3ff3e 261950
esp 0xbffff850 0xbffff850
ebp 0xbffff858 0xbffff858
esi 0x76ff0 487408
edi 0x732 1842
eip 0x43585 0x43585
eflags 0x10246 66118
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) x/30x 0xbffff858
0xbffff858: 0xbffff8c8 0x00040118 0x0006e008 0x40000002
0xbffff868: 0x00000002 0xbffff8cc 0x00000000 0x00000002
0xbffff878: 0xbffff898 0x8fe0e25a 0x00000000 0x00000000
0xbffff888: 0x00000000 0x00000000 0x615f676e 0x00000002
0xbffff898: 0x00007373 0x79645f5f 0xffffffff 0xffffffff
0xbffff8a8: 0xffffffff 0xbebafeca 0x00000000 0x00000000
0xbffff8b8: 0x00000000 0x0003fddf 0x00000003 0xbffffc5e
0xbffff8c8: 0xbffff988 0x0003ff25


Mac OS X users and developers, beware (and be careful) about what you do with binaries. Especially when trying to analyze some "useless malware proof of concept"...

MOKB-26-11-2006: Mac OS X Universal Binary Loading Memory Corruption

Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fatfile_getarch2() function. Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries.

Friday, November 24, 2006

MOKB-24-11-2006: Mac OS X kqueue Local Denial of Service

Inconsistent handling of kqueue and kevent interfaces in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mac OS X kernel, allows local unprivileged users to cause a denial of service condition. This particular vulnerability can be abused by a process registering a queue and a kernel event via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kevent() call, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n spawning a child via fork() and attempting to register anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r event for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same ("parent") queue.

Thursday, November 23, 2006

MOKB-23-11-2006: Mac OS X Mach-O Binary Loading Memory Corruption

Mac OS X fails to properly handle corrupted Mach-O binaries, leading to an exploitable memory corruption condition. This is triggered by execution of a Mach-O binary with a valid mach_header structure and corrupted load_command data structures. Local unprivileged users can abuse this issue.

Wednesday, November 22, 2006

More MOKB-20-11-2006 related news

Apparently, it isn't enough to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most simple possible way. There will be always someone else who doesn't bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r reading, checking and, well, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be always someone willing to say something that doesn't make sense at all.

A blog post is claiming that 'crashing a Mac with a .dmg, has been known for ages'. It doesn't stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, it even falls in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 now clueless logical fallacy that has been used over and over by Mac Zealots and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r creatures of Neverland for enough time now:
conveniently ignoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that this is still just a crash, not an exploit, and that not all crashes are actually exploitable anyway.
Too many things mixed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and getting screwed up. Time to stop, space cowboy. Going back to Earth, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition of a 'crash' in kernel-land has quite a few possible meanings:
  • locking issues
  • infinite loops (ex. filesystem code looking for non-existent blocks)
  • unhandled exceptions (ex. invalid memory access, ala page faults, etc)
  • handled exceptions (ex. known unsupported condition, poorly written code panicking for no real reason, ala fpathconf() bug, etc).
  • ...
Now define exploit in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 context of a kernel-land issue. Basically exploiting a bug a in kernel-land requires some conditions to be met:
  • influence memory operations (ex. land at controlled memory)
  • avoid hard locks
  • avoid corrupting essential spots
  • change execution flow gracefully
In any case, once you have abused cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerable condition, you will have only one chance (normally, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are exceptions, like modules and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r interfaces that can be dynamically loaded and not necessarily get totally screwed up) to subvert cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 execution flow, until it goes wild and causes your so-called 'crash'. So, what happens upon successful exploitation? You're pwned, Michael Knight.

So, leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 humorous style. Mac Zealots, please get a life. If something is well beyond your understanding capability, don't worry. Go watch TV, or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iTunes Store.

Reading documentation, debugging, checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, spending hours to understand how something actually works, is obviously a tedious task. It's easier to smoke some pot and mixed hash while listening to Massive Attack and Modest Mouse.

Signed, a proud Macbook, Mac OS X and iPod (it has some indie music too, but not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 brainwashing kind it seems, fortunately) user.

Alert on MOKB-20-11-2006: Being exploited in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild?

I've been contacted by a Mac OS X user about a DMG image being distributed as a supposed 'cracked' version of some software, although it contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'shareware' (demonstration, time-limited) version available from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor website.

Without furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r investigation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no reasons to think it might be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same bug as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one published in MOKB-20-11-2006. A first look over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hexdump of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file shows that it actually contains corrupted data, yet keeping certain sections of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DMG format itself.

There's no security update from Apple right now, thus I would like to strongly recommend a higher level of caution. Don't download DMG files, don't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m off untrusted sources (ex. P2P networks) and disable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Safari feature for opening this kind of files after downloading (via Preferences -> General -> Open 'safe files' after download).

Due to time limitations, research of this issue might overlap with today's release, leading to a short delay.

Tuesday, November 21, 2006

MOKB-21-11-2006: Mac OS X Apple UDTO HFS+ Disk Image Denial of Service (1)

Mac OS X fails to properly handle corrupted UDTO HFS+ image structures (ex. bad sectors), leading to an exploitable denial of service condition. Although it hasn't been checked furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, memory corruption is present under certain conditions (in this particular case, unlikely to allow arbitrary code execution).

Monday, November 20, 2006

MOKB-20-11-2006: Mac OS X Apple UDIF Disk Image Kernel Memory Corruption (1)

Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users.

Thursday, November 09, 2006

MOKB-09-11-2006: Mac OS X fpathconf() syscall denial of service

Failure to handle unknown file types by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. The bug was fixed by FreeBSD on Tue Jun 27 23:08:36 2000 UTC (6 years, 4 months ago).

Wednesday, November 01, 2006

MoKB starts: MOKB-01-11-2006 - Apple Airport 802.11 Probe Response Kernel Memory Corruption

The Month of Kernel Bugs has started. The first bug is a memory corruption vulnerability found and contributed by fellow H D Moore.

The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution.

With all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hype and buzz about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD'ed by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs), hopefully this will bring some light (better said, proof) about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existence of such flaws in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Airport device drivers.

The vulnerability details and proof of concept code can be found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MOKB-01-11-2006 page.

Trick or treat? Happy Halloween.