exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

apple-kext-tools-20060822.txt

apple-kext-tools-20060822.txt
Posted Sep 14, 2006
Authored by Adriel T. Desautels | Site netragard.com

Roxio Toast 7 Titanium on Mac OSX executes the kextload command with root privileges. The kextload command contains two vulnerabilities which can be exploited by a local user to gain local root access to the system. This advisory outlines both issues.

tags | advisory, local, root, vulnerability
systems | apple
SHA-256 | 4d9a1d1c4b802566deb492490350c56c3638f0b626e4adf257715a70770d86bb

apple-kext-tools-20060822.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************** Netragard, L.L.C Advisory* *******************


~ Strategic Reconnaissance Team

~ ------------------------------------------------
~ http://www.netragard.com -- "We make I.T. Safe."



[About Netragard]
- ----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are fortified
by continual vulnerability research and development. This ongoing
research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals and
not those of automated scanners and tools. This advisory is the product
of research done by the Strategic Reconnaissance Team.


[Official URL]
- ----------------------------------------------------------------------
http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt


[Advisory Information]
- ----------------------------------------------------------------------
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20060822
Product Name : Apple OSX
Product Version : ALL
Helper Application : Roxio Toast 7 Titanium
Vendor Name : Apple Computer Corporation
Type of Vulnerability : Local Root Compromise (via kextload)
Effort : Easy
Operating System : OSX

- ----------------------------------------------------------------------
Other : A vulnerability exists in OSX kexload program
~ which affects the security of Roxio Toast 7 and may affect
other applications.

This advisory contains two vulnerabilities in the kext load
program:

1-) Format String Vulnerability
2-) Buffer Overflow Vulnerability


[Product Description]
- ----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."

- --http://www.roxio.com--



[Technical Summary]
- ----------------------------------------------------------------------
Roxio toast executes the kextload command with root privileges. The
kextload command contains two vulnerabilities which can be exploited
by a local user to gain local root access to the system. This advisory
outlines both issues.

The kextload program is used to explicitly load kernel extensions
(kexts), validate them to see that they can be loaded by other
mechanisms, such as kextd(8), and to generate symbol files for
debugging the kext in a running ker-nel. In order to load a kext into
the kernel kextload must be invoked as the superuser; for all other
uses it can be invoked by any user.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!Important Note: A user requires root to run kextload properly or!!
!! kextload needs to be run by a helper application !!
!! with root privileges. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!




[Technical Details]
- ----------------------------------------------------------------------
1-) kextload format string vulnerability.

Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the
vulnerability. The code which enables this format string
vulnerability can be found in "prelink.c" and reads as

fprintf(stderr, kext_path);

netragard-test$ sudo kextload %x.%x.%x.%x.%x.%x
kextload: /Users/test/90b4b6ca.1c.69737473.65206578.68206275.6e646c65:\
no such bundle file exists
can't add kernel extension %x.%x.%x.%x.%x.%x (file access/permissions\
) (run kextload on this kext with -t for diagnostic output)

2-) Buffer Overflow Vulnerability

Executing kextload `perl -e 'print "A" x 1022'` causes a
buffer overflow. We can see that critical memory segments
have been overwritten by "A" in the example below.

(A is represented as 0x41)

(gdb) r `perl -e 'print "A" x 1023'`
Starting program: /sbin/kextload `perl -e 'print "A" x 1023'`
memory allocation or string conversion error
Program exited with code 01.

(gdb) r `perl -e 'print "A" x 1022'`
Starting program: /sbin/kextload `perl -e 'print "A" x 1022'`
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x41414149
0x90bf37a4 in _KXKextManagerLogMessageAtLevel ()

3-) How does this affect roxio toast 7 (and any other application that
~ calls kextload)?

When Roxio Toast 7 calls the kextload command it uses root privileges.
When an attacker successfully attacks the kextload vulnerability using
Roxio Toast 7 as the helper application the attacker is able to steal
the root privileges and gain root level access to the system.

4-) Example of kextload format string vulnerability affecting
~ TDIXSupport

netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\
78682062756e646c65/TDIXController.kext: no such bundle file exists
can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\
cess/permissions) (run kextload on this kext with -t for diagnostic o\
utput)

5-) Example kextload buffer overflow vulnerability affecting
~ TDIXsupport

netragard-test:$ sudo ktrace -di ./TDIXSupport `perl -e 'print "A" x \
1000'`/TDIXController.kext
...
1067 security_authtra CALL sendto(0x7,0xbfffde14,0x36,0,0,0)
1067 security_authtra GIO fd 7 wrote 54 bytes
~ "<37>Jul 8 11:31:58 authexec: executing /sbin/kextload"
1067 security_authtra RET sendto 54/0x36
1067 security_authtra CALL execve(0xbfffec61,0xbfffebb4,0x300af0)
1067 security_authtra NAMI "/sbin/kextload"
...
1067 kextload PSIG SIGSEGV SIG_DFL
1066 TDIXSupport GIO fd 7 read 0 bytes
~ ""
1066 TDIXSupport RET read 0
1066 TDIXSupport CALL close(0x7)
1066 TDIXSupport RET close 0
1066 TDIXSupport CALL exit(0xe00002c0)




[Proof Of Concept]
- ----------------------------------------------------------------------
Buffer OVerflow Exploit – being developed
Format String Exploit - being developed




[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified.




[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFCIX2Qwbn1P9Iaa0RArDyAKCfulP2zbivK1cf2EiqRw60c+QDOwCgmPbH
mQGLEyXrmjPbNEpt4yv5Cp0=
=J+0u
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close