-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************** Netragard, L.L.C Advisory* ******************* ~ Strategic Reconnaissance Team ~ ------------------------------------------------ ~ http://www.netragard.com -- "We make I.T. Safe." [About Netragard] - ---------------------------------------------------------------------- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Official URL] - ---------------------------------------------------------------------- http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt [Advisory Information] - ---------------------------------------------------------------------- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060822 Product Name : Apple OSX Product Version : ALL Helper Application : Roxio Toast 7 Titanium Vendor Name : Apple Computer Corporation Type of Vulnerability : Local Root Compromise (via kextload) Effort : Easy Operating System : OSX - ---------------------------------------------------------------------- Other : A vulnerability exists in OSX kexload program ~ which affects the security of Roxio Toast 7 and may affect other applications. This advisory contains two vulnerabilities in the kext load program: 1-) Format String Vulnerability 2-) Buffer Overflow Vulnerability [Product Description] - ---------------------------------------------------------------------- "Toast 7 is the best way to save, share and enjoy a lifetime of digital music, movies and photos on CD and DVD. Burn large files across multiple discs; compress and copy DVD movies; add over 50 hours of music to an audio DVD with on-screen TV menus, shuffle play, and rich Dolby Digital sound; burn DivX files into DVDs. Do it all with the fastest and most reliable burning software for the Mac OS - Toast." - --http://www.roxio.com-- [Technical Summary] - ---------------------------------------------------------------------- Roxio toast executes the kextload command with root privileges. The kextload command contains two vulnerabilities which can be exploited by a local user to gain local root access to the system. This advisory outlines both issues. The kextload program is used to explicitly load kernel extensions (kexts), validate them to see that they can be loaded by other mechanisms, such as kextd(8), and to generate symbol files for debugging the kext in a running ker-nel. In order to load a kext into the kernel kextload must be invoked as the superuser; for all other uses it can be invoked by any user. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!Important Note: A user requires root to run kextload properly or!! !! kextload needs to be run by a helper application !! !! with root privileges. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [Technical Details] - ---------------------------------------------------------------------- 1-) kextload format string vulnerability. Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the vulnerability. The code which enables this format string vulnerability can be found in "prelink.c" and reads as fprintf(stderr, kext_path); netragard-test$ sudo kextload %x.%x.%x.%x.%x.%x kextload: /Users/test/90b4b6ca.1c.69737473.65206578.68206275.6e646c65:\ no such bundle file exists can't add kernel extension %x.%x.%x.%x.%x.%x (file access/permissions\ ) (run kextload on this kext with -t for diagnostic output) 2-) Buffer Overflow Vulnerability Executing kextload `perl -e 'print "A" x 1022'` causes a buffer overflow. We can see that critical memory segments have been overwritten by "A" in the example below. (A is represented as 0x41) (gdb) r `perl -e 'print "A" x 1023'` Starting program: /sbin/kextload `perl -e 'print "A" x 1023'` memory allocation or string conversion error Program exited with code 01. (gdb) r `perl -e 'print "A" x 1022'` Starting program: /sbin/kextload `perl -e 'print "A" x 1022'` Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x41414149 0x90bf37a4 in _KXKextManagerLogMessageAtLevel () 3-) How does this affect roxio toast 7 (and any other application that ~ calls kextload)? When Roxio Toast 7 calls the kextload command it uses root privileges. When an attacker successfully attacks the kextload vulnerability using Roxio Toast 7 as the helper application the attacker is able to steal the root privileges and gain root level access to the system. 4-) Example of kextload format string vulnerability affecting ~ TDIXSupport netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\ 78682062756e646c65/TDIXController.kext: no such bundle file exists can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\ cess/permissions) (run kextload on this kext with -t for diagnostic o\ utput) 5-) Example kextload buffer overflow vulnerability affecting ~ TDIXsupport netragard-test:$ sudo ktrace -di ./TDIXSupport `perl -e 'print "A" x \ 1000'`/TDIXController.kext ... 1067 security_authtra CALL sendto(0x7,0xbfffde14,0x36,0,0,0) 1067 security_authtra GIO fd 7 wrote 54 bytes ~ "<37>Jul 8 11:31:58 authexec: executing /sbin/kextload" 1067 security_authtra RET sendto 54/0x36 1067 security_authtra CALL execve(0xbfffec61,0xbfffebb4,0x300af0) 1067 security_authtra NAMI "/sbin/kextload" ... 1067 kextload PSIG SIGSEGV SIG_DFL 1066 TDIXSupport GIO fd 7 read 0 bytes ~ "" 1066 TDIXSupport RET read 0 1066 TDIXSupport CALL close(0x7) 1066 TDIXSupport RET close 0 1066 TDIXSupport CALL exit(0xe00002c0) [Proof Of Concept] - ---------------------------------------------------------------------- Buffer OVerflow Exploit – being developed Format String Exploit - being developed [Vendor Status] - ---------------------------------------------------------------------- Vendor Notified. [Disclaimer] - ---------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFCIX2Qwbn1P9Iaa0RArDyAKCfulP2zbivK1cf2EiqRw60c+QDOwCgmPbH mQGLEyXrmjPbNEpt4yv5Cp0= =J+0u -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/