-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                         VSR Security Advisory
                       http://www.vsecurity.com/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Apple HFS+ Information Disclosure Vulnerability
 Release Date: 2011-03-22
  Application: Apple OS X kernel (XNU)
     Versions: All versions <= xnu-1504.7.4
     Severity: Medium
       Author: Dan Rosenberg <drosenberg (at) vsecurity (dot) com> 
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-0180
    Reference: http://www.vsecurity.com/resources/advisory/20110322-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

 "Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid,
  UNIX-based foundation that is engineered for stability, reliability, and
  performance.  The kernel environment is built on top of Mach 3.0 and provides
  high-performance networking facilities and support for multiple, integrated
  file systems."


Vulnerability Overview
- ----------------------

On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented
in the OS X XNU kernel.  HFS+ is the default filesystem in use on many
installations of the Mac OS X operating system.  By exploiting this
vulnerability, an unprivileged user with local access to a machine using HFS+
may be able to read raw filesystem data, bypassing file permissions and
resulting in information disclosure.


Vulnerability Details
- ---------------------

Users may interact with the filesystem using the standard ioctl interface.
HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to
read raw data from an HFS+ filesystem.  The ioctl intends to ensure that this
data is restricted to the first 1024 bytes, where bootstrap information is
stored.  However, due to an integer overflow in the code that attempts to
enforce this restriction, it is possible for an unprivileged user to use this
ioctl to read large portions of filesystem data outside of this byte range,
leading to an information disclosure vulnerability.

The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:

if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
  return EINVAL;

If a user provides values for the fbt_offset and fbt_length members such that
their sum overflows and wraps around to an integer less than 1024, portions of
filesystem data outside the intended range will be read and returned to the
user.


Proof-of-Concept Exploit
- ------------------------

VSR has developed a proof-of-concept exploit [3] to both demonstrate the
severity of this issue as well as allow users and administrators to verify the
existence of the vulnerability. The exploit leverages the integer overflow to
read arbitrary amounts of filesystem data at a negative offset from the end of
the filesystem.


Versions Affected
- -----------------
Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but
review of older source code suggests that all versions of OS X may be affected.


Vendor Response
- ---------------
The following timeline details Apple's response to the reported issue:

2010-07-01    Apple was provided a draft advisory
2010-07-02    Apple acknowledges receipt of advisory
2010-07-22    Request for confirmation of issue
2010-07-25    Apple confirms issue under investigation
2010-09-02    Request for status update
2010-09-02    Apple confirms fix is being tested
2010-10-13    Request for status update
2010-10-14    Apple confirms fix is planned for undetermined date
2010-11-16    Request for status update
2010-11-16    Apple confirms ship date is set for early 2011
2011-01-18    Request for status update
2011-01-18    Apple confirms ship date for early April
2011-03-21    Apple publishes fix

Apple's advisory may be obtained at:
   http://support.apple.com/kb/HT4581


Recommendation
- --------------
Apply the fix provided by Apple's OS X security update [2].


Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2011-0180 to this issue.  This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Darwin and Core Technologies 
   http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html 

2. Apple Security Update 2011-001
   http://support.apple.com/kb/HT4581

3. HFS+ F_READBOOTSTRAP information disclosure exploit
   http://www.vsecurity.com/download/tools/hfs-dump.c

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere 
hope that it will help promote public safety.  This advisory comes with 
absolutely NO WARRANTY; not even the implied warranty of merchantability or 
fitness for a particular purpose.  Virtual Security Research, LLC nor the author 
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
  http://www.vsecurity.com/disclosurepolicy.html

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
     Copyright 2011 Virtual Security Research, LLC.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk2IyTQACgkQQ1RSUNR+T+h13QCfaDJiFghrnF3/HLMdppiqP/Bq
UrwAn3M/wbWRjXhp/oX1KLZo939FFhNv
=pAH9
-----END PGP SIGNATURE-----