Kernel Fun

MOKB-30-11-2006: Apple Airport Extreme Beacon Frame Denial of Service

2006-11-30T17:19:00.000-08:00

Apple Airport Extreme driver fails to handle certain beacon frames, leading to an out of bounds memory access, resulting in a so-called kernel panic. Other security implications may exist, although this hasn't been verified and no details can be provided until further research is done. This issue is being coordinated with Apple, and under common agreement it's been decided to keep the details private until a fix has been made available to end-users.

More details

MOKB-29-11-2006: Linux 2.6.7 - 2.6.18.3 get_fdb_entries() Integer Overflow

2006-11-29T16:26:00.000-08:00

Linux 2.6.7 - 2.6.18.3 get_fdb_entries() function is vulnerable to an integer overflow condition. This could be abused to force memory allocation of an attacker controlled size. Successful exploitation could allow arbitrary code execution.

More details and debugging information

MOKB-28-11-2006: Mac OS X shared_region_make_private_np() Memory Corruption

2006-11-28T17:35:00.000-08:00

Mac OS X shared_region_make_private_np() system call fails to handle crafted user input, leading to an exploitable memory corruption condition. Unprivileged local users can abuse this issue in order to escalate privileges (via arbitrary code execution) or cause a denial of service.

More details and debugging information
Proof of concept: MOKB-28-11-2006.c

MOKB-27-11-2006: Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption

2006-11-27T14:53:00.000-08:00

Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command.

More details and debug information
Proof of concept: MOKB-27-11-2006.c (x86)

Notes on MOKB-26-11-2006: otool affected as well

2006-11-26T05:19:00.000-08:00

MOKB-26-11-2006 also exposes a vulnerability in the otool utility:


$ otool -f mach-o_bug_pagefault_univ_1
Fat headers
Segmentation fault

$ gdb /usr/bin/otool
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ... done

(gdb) r -d mach-o_bug_pagefault_univ_1
Starting program: /usr/bin/otool -d mach-o_bug_pagefault_univ_1
Reading symbols for shared libraries . done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00077000
0x00043585 in ?? ()
(gdb) bt
#0  0x00043585 in ?? ()
#1  0x00008598 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(gdb) info registers
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0x3ff3e  261950
esp            0xbffff850       0xbffff850
ebp            0xbffff858       0xbffff858
esi            0x76ff0  487408
edi            0x732    1842
eip            0x43585  0x43585
eflags         0x10246  66118
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
(gdb) x/30x 0xbffff858
0xbffff858:     0xbffff8c8      0x00040118      0x0006e008      0x40000002
0xbffff868:     0x00000002      0xbffff8cc      0x00000000      0x00000002
0xbffff878:     0xbffff898      0x8fe0e25a      0x00000000      0x00000000
0xbffff888:     0x00000000      0x00000000      0x615f676e      0x00000002
0xbffff898:     0x00007373      0x79645f5f      0xffffffff      0xffffffff
0xbffff8a8:     0xffffffff      0xbebafeca      0x00000000      0x00000000
0xbffff8b8:     0x00000000      0x0003fddf      0x00000003      0xbffffc5e
0xbffff8c8:     0xbffff988      0x0003ff25

Mac OS X users and developers, beware (and be careful) about what you do with binaries. Especially when trying to analyze some "useless malware proof of concept"...

MOKB-26-11-2006: Mac OS X Universal Binary Loading Memory Corruption

2006-11-26T03:14:00.000-08:00

Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in the fatfile_getarch2() function. Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries.

More details and debugging information
Proof of concept: MOKB-26-11-2006.bz2

MOKB-25-11-2006: Linux 2.6.x ReiserFS Sync Memory Corruption

2006-11-25T16:27:00.000-08:00

The ReiserFS support code of Linux 2.6.x fails to properly handle crafted data structures, leading to an exploitable memory corruption condition when a sync is being done in a corrupted ReiserFS filesystem.

More details
Proof of concept: MOKB-25-11-2006.img.bz2

MOKB-24-11-2006: Mac OS X kqueue Local Denial of Service

2006-11-24T17:04:00.000-08:00

Inconsistent handling of kqueue and kevent interfaces in the Mac OS X kernel, allows local unprivileged users to cause a denial of service condition. This particular vulnerability can be abused by a process registering a queue and a kernel event via the kevent() call, then spawning a child via fork() and attempting to register another event for the same ("parent") queue.

More details and debugging information
Proof of concept: MOKB-24-11-2006.c.bz2

MOKB-23-11-2006: Mac OS X Mach-O Binary Loading Memory Corruption

2006-11-23T15:23:00.000-08:00

Mac OS X fails to properly handle corrupted Mach-O binaries, leading to an exploitable memory corruption condition. This is triggered by execution of a Mach-O binary with a valid mach_header structure and corrupted load_command data structures. Local unprivileged users can abuse this issue.

More details and debug information
Proof of concept: MOKB-23-11-2006.bz2

More MOKB-20-11-2006 related news

2006-11-22T16:06:00.000-08:00

Apparently, it isn't enough to explain these issues in the most simple possible way. There will be always someone else who doesn't bother reading, checking and, well, there will be always someone willing to say something that doesn't make sense at all.

A blog post is claiming that 'crashing a Mac with a .dmg, has been known for ages'. It doesn't stop there, it even falls in the now clueless logical fallacy that has been used over and over by Mac Zealots and other creatures of Neverland for enough time now:

conveniently ignoring the fact that this is still just a crash, not an exploit, and that not all crashes are actually exploitable anyway.

Too many things mixed there and getting screwed up. Time to stop, space cowboy. Going back to Earth, the definition of a 'crash' in kernel-land has quite a few possible meanings:

locking issues
infinite loops (ex. filesystem code looking for non-existent blocks)
unhandled exceptions (ex. invalid memory access, ala page faults, etc)
handled exceptions (ex. known unsupported condition, poorly written code panicking for no real reason, ala fpathconf() bug, etc).
...

Now define exploit in the context of a kernel-land issue. Basically exploiting a bug a in kernel-land requires some conditions to be met:

influence memory operations (ex. land at controlled memory)
avoid hard locks
avoid corrupting essential spots
change execution flow gracefully

In any case, once you have abused the vulnerable condition, you will have only one chance (normally, although there are exceptions, like modules and other interfaces that can be dynamically loaded and not necessarily get totally screwed up) to subvert the execution flow, until it goes wild and causes your so-called 'crash'. So, what happens upon successful exploitation? You're pwned, Michael Knight.

So, leaving the humorous style. Mac Zealots, please get a life. If something is well beyond your understanding capability, don't worry. Go watch TV, or the iTunes Store.

Reading documentation, debugging, checking the problem, spending hours to understand how something actually works, is obviously a tedious task. It's easier to smoke some pot and mixed hash while listening to Massive Attack and Modest Mouse.

Signed, a proud Macbook, Mac OS X and iPod (it has some indie music too, but not the brainwashing kind it seems, fortunately) user.

MOKB-22-11-2006: NetGear WG311v1 Wireless Driver Long SSID Overflow

2006-11-22T15:29:00.000-08:00

The NetGear WG311v1 wireless adapter (PCI) ships with a version of WG311ND5.SYS that is vulnerable to a heap-based buffer overflow condition. This issue may lead to arbitrary kernel-mode code execution.

More details and debugging information
Proof of concept: auxiliary/dos/wireless/netgear_wg311pci.rb

Alert on MOKB-20-11-2006: Being exploited in the wild?

2006-11-22T10:00:00.000-08:00

I've been contacted by a Mac OS X user about a DMG image being distributed as a supposed 'cracked' version of some software, although it contains the 'shareware' (demonstration, time-limited) version available from the vendor website.

Without further investigation, there are no reasons to think it might be the same bug as the one published in MOKB-20-11-2006. A first look over the hexdump of the file shows that it actually contains corrupted data, yet keeping certain sections of the DMG format itself.

There's no security update from Apple right now, thus I would like to strongly recommend a higher level of caution. Don't download DMG files, don't get them off untrusted sources (ex. P2P networks) and disable the Safari feature for opening this kind of files after downloading (via Preferences -> General -> Open 'safe files' after download).

Due to time limitations, research of this issue might overlap with today's release, leading to a short delay.

MOKB-21-11-2006: Mac OS X Apple UDTO HFS+ Disk Image Denial of Service (1)

2006-11-21T15:27:00.000-08:00

Mac OS X fails to properly handle corrupted UDTO HFS+ image structures (ex. bad sectors), leading to an exploitable denial of service condition. Although it hasn't been checked further, memory corruption is present under certain conditions (in this particular case, unlikely to allow arbitrary code execution).

More details and debugging information
Proof of concept: MOKB-21-11-2006.dmg.bz2 and for Safari users: MOKB-21-11-2006.dmg

MOKB-20-11-2006: Mac OS X Apple UDIF Disk Image Kernel Memory Corruption (1)

2006-11-20T14:23:00.000-08:00

Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users.

More details and debugging information
Proof of concept: MOKB-20-11-2006 .dmg.bz2 (needs decompressing), MOKB-20.dmg (direct link for proud Safari users).

MOKB-19-11-2006: Linux 2.6.x NTFS __find_get_block_slow() denial of service

2006-11-19T14:04:00.000-08:00

The NTFS filesystem module of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This issue is similar to that explained in MOKB-05-11-2006.

MOKB-18-11-2006: NetGear MA521 Wireless Driver Long Rates Overflow

2006-11-18T13:24:00.000-08:00

The NetGear MA521 wireless adapter (PCMCIA) ships with a version of MA521nd5.SYS that is vulnerable to a memory corruption condition. This issue may lead to arbitrary kernel-mode code execution.

More details and debugging information
Proof of concept: netgear_ma521_rates.rb

MOKB-17-11-2006: Linux 2.6.x minix_bmap denial of service

2006-11-17T16:28:00.000-08:00

Linux 2.6.x minix filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when a crafted fs stream is being mounted.

More details and debugging information
Proof of concept: MOKB-17-11-2006.img.bz2

MOKB-16-11-2006: NetGear WG111v2 Wireless Driver Long Beacon Overflow

2006-11-16T08:16:00.000-08:00

The NetGear WG111v2 wireless adapter (USB) ships with a version of WG111v2.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 1100 bytes of information elements.

More details
Proof of concept: netgear_wg111_beacon.rb

MOKB-15-11-2006: Linux 2.6.x gfs2 init_journal denial of service

2006-11-15T14:09:00.000-08:00

Linux 2.6.x gfs2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when a crafted stream is being mounted. This particular vulnerability is caused by a NULL pointer dereference in the init_journal function.

More details
Proof of concept: MOKB-15-11-2006.img.bz2

MOKB-14-11-2006: Linux 2.6.x SELinux superblock_doinit denial of service

2006-11-14T12:01:00.000-08:00

Failure to handle mounting of corrupt filesystem streams may lead to a local denial of service condition when SELinux hooks are enabled. This particular vulnerability is caused by a null pointer dereference in the superblock_doinit function.

More details
Proof of concept: MOKB-14-11-2006.img.bz2

MOKB-13-11-2006: D-Link DWL-G132 Wireless Driver Beacon Rates Overflow

2006-11-13T09:38:00.000-08:00

The D-Link DWL-G132 wireless adapter (USB) ships with a version of A5AGU.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 36 bytes in the Rates information element (IE).

More details
Proof of concept: dlink_wifi_rates.rb (Metasploit)

MOKB-12-11-2006: Linux 2.6.x ext2_check_page denial of service

2006-11-12T13:51:00.000-08:00

Linux 2.6.x ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read operation is being done on a crafted fs stream.

More details
Proof of concept: MOKB-12-11-2006.img.bz2

MOKB-11-11-2006: Broadcom Wireless Driver Probe Response SSID Overflow

2006-11-11T00:04:00.000-08:00

The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers.

More details
Proof of concept: broadcom_wifi_ssid.rb (Metasploit)

MOKB-10-11-2006: Linux 2.6.x ext3fs_dirhash denial of service

2006-11-10T11:55:00.000-08:00

Linux 2.6.x ext3 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue with potential fs corruption, when a read operation is done on a crafted ext3 stream.

More details
Proof of concept: MOKB-10-11-2006.img.bz2

MOKB-09-11-2006: Mac OS X fpathconf() syscall denial of service

2006-11-09T06:24:00.000-08:00

Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. The bug was fixed by FreeBSD on Tue Jun 27 23:08:36 2000 UTC (6 years, 4 months ago).

MOKB-08-11-2006: FreeBSD 6.1 UFS filesystem ffs_rdextattr() integer overflow

2006-11-08T10:52:00.000-08:00

The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow, similar to MOKB-03-11-2006.

More details and debug information
Proof of concept: MOKB-08-11-2006.img.bz2
Related to MOKB-03-11-2006: FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow

MOKB-07-11-2006: Linux 2.6.x zlib_inflate memory corruption

2006-11-07T13:34:00.000-08:00

Linux 2.6.x zlib_inflate function can be abused by filesystems that depend on zlib compression, such as cramfs. A failure to handle crafted data, result of a read operation in a corrupted filesystem stream, may lead to memory corruption. This particular vulnerability requires a filesystem (proof of concept for cramfs provided) to fail validation (ex. no integrity checking) of the binary stream in order to reach execution of zlib_inflate()

More details and debug information
Proof of concept: MOKB-07-11-2006.img.bz2

MOKB-06-11-2006: Microsoft Windows kernel GDI local privilege escalation

2006-11-06T06:39:00.000-08:00

A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. This would allow a local user to escalate privileges, gaining full control of the system.

More details and debug information
Proof of concept: GDIKernelPoC.cpp

MOKB-05-11-2006: Linux 2.6.x ISO9660 __find_get_block_slow() denial of service

2006-11-05T10:15:00.000-08:00

The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue.

More details and debug information
Proof of concept: MOKB-05-11-2006.iso.bz2

Uncompress, burn, plug, mayhem.

"The sky fell down when I plugged it,
The green of the wallpaper countryside has turned to blue,
I had the CD right on my fingertips,
...
Frank Sinatra, "The Sky Fell Down" (remix).

MOKB-04-11-2006: Solaris 10 UFS filesystem alloccgblk denial of service

2006-11-04T13:43:00.000-08:00

The UFS filesystem handling code of the Solaris 10 kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service issue and potential loss of data or corruption of the local UFS filesystems, due to memory corruption.

More details and debug information
Proof of concept: MOKB-04-11-2006.img.gz

MOKB-03-11-2006: FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow

2006-11-03T11:17:00.000-08:00

The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow at ffs_mountfs() function.

More details:

http://projects.info-pull.com/mokb/MOKB-03-11-2006.html

MOKB-02-11-2006: Linux 2.6.x squashfs double free

2006-11-02T06:35:00.000-08:00

The squashfs module of the Linux kernel (2.6.x) fails to properly handle corrupted fs structures, leading to a denial of service and possible data corruption condition. A specially crafted squashfs image will cause the kernel to double free a buffer when a read operation is performed on the corrupted filesystem.

More details:

MoKB starts: MOKB-01-11-2006 - Apple Airport 802.11 Probe Response Kernel Memory Corruption

2006-11-01T07:41:00.000-08:00

The Month of Kernel Bugs has started. The first bug is a memory corruption vulnerability found and contributed by fellow H D Moore.

The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution.

With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD'ed by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers.

The vulnerability details and proof of concept code can be found in the MOKB-01-11-2006 page.

Trick or treat? Happy Halloween.