Re: Buffer overflow/privilege escalation in MacOS X - hfs.util also

From: KF (dotslash_at_snosoft.com)
Date: 12/19/03

  • Next message: Luigi Auriemma: "Directory traversal and XSS in Active Webcam <= 4.3" 
    Date: Fri, 19 Dec 2003 00:17:33 -0500
To: bugtraq@securityfocus.com

    The funny thing is that I have reported this to apple more than once if
    I remember correctly... first in 10.1 and recently in 10.3, I have yet
    to hear back on the issue. As a side note apple has a no talky / no
    verify policy until the bug is fixed... they just keep you pretty much
    100% in the dark. Dave G finally talked some sense into me and I stopped
    trying to exploit the hole. I have spent many hours banging my head
    trying to figure out why things will not work out. I had been holding
    out for a response from apple but since this is now public info I'll
    probably jot down some public notes on what a pain it is. If any one is
    interested the code causing this issue it is located below.

    *In earlier versions of OSX there is also hfs.util and it contains the
    same issue. hfs.util is no longer setuid in OSX 10.3*

    http://web.mit.edu/afs/sipb.mit.edu/project/darwin/src/modules/isoutil/cd9660.util_main.m

    ...
    char myRawDeviceName[256];
    char myDeviceName[256];
    ...
    /* Build our device name (full path), should end up with something like: */
    /* /dev/disk1s2 */
    strcpy( &myDeviceName[0], DEVICE_PREFIX );
    strcat( &myDeviceName[0], argv[2] );
    strcpy( &myRawDeviceName[0], RAW_DEVICE_PREFIX );
    strcat( &myRawDeviceName[0], argv[2] );
    ...
    /* call the appropriate routine to handle the given action argument
    after becoming root */
    myActionPtr = &argv[1][1];
    myError = seteuid( 0 );
    switch( *myActionPtr ) {
    ...
    exit (myError);

    ------------------- and the vulnerability in hfs.util that was not
    reported --------------------

    http://www.mit.edu/afs/sipb/project/darwin/src/modules/hfs/hfs_util/hfsutil_main.c
    ...
    char rawDeviceName[MAXPATHLEN];
    char blockDeviceName[MAXPATHLEN];
    /* -- Build our device name (full path), should end up with something
    like: -- "/dev/disk0s2" */
    sprintf(rawDeviceName, "/dev/r%s", argv[2]);
    sprintf(blockDeviceName, "/dev/%s", argv[2]);
    ...
    exit(result);
    -KF

  • Next message: Luigi Auriemma: "Directory traversal and XSS in Active Webcam <= 4.3"

    Relevant Pages

    • Re: About little big endian in C
      ... are stored in memory or in both implementations they are stored the ... Since a char occupies exactly one byte, ... this apple or this apple? ... The Standard guarantees that the object representation of an object can be ...
      (comp.lang.c)
    • Re: FreeBSD vs. OSX
      ... >> The biggest problems we've experienced with OS X are price and stability. ... I use OSX since the first public beta, ... You're forgetting to mention that Apple is pumping the "industrial ...
      (comp.unix.bsd.freebsd.misc)
    • Re: My Dilemma: Linux vs OSX
      ... Hence, my interest in the Mac and OSX, and my dilemma. ... How many of you out there have made the switch from Linux to OSX, ... there is complete apt-get port named Fink and don't forget Apple does not pre-install Developer tools. ... It took 40 mins on every single distro just to set keyboard on OS X which you use archaic Xmodmap. ...
      (comp.sys.mac.system)
    • Re: Leopard, sono lunico che..
      ... Colpa di apple naturalmente, ... Io uso tutto di OSX, tu usi solo filemaker che, assieme ad acrobat e ... Devi ancora vedere il conto. ...
      (it.comp.macintosh)
    • Re: PearC will sink the Mac
      ... Sermo Malifer wrote: ... It seems that Apple can't do Jack Shit about it. ... Mac clone maker PearC  plans Mac OS X laptop ... That way I can try out OSX without paying ...
      (comp.sys.mac.advocacy)