Thursday, November 30, 2006

MOKB-30-11-2006: Apple Airport Extreme Beacon Frame Denial of Service

Apple Airport Extreme driver fails to handle certain beacon frames, leading to an out of bounds memory access, resulting in a so-called kernel panic. Other security implications may exist, although this hasn't been verified and no details can be provided until further research is done. This issue is being coordinated with Apple, and under common agreement it's been decided to keep the details private until a fix has been made available to end-users.

Wednesday, November 29, 2006

MOKB-29-11-2006: Linux 2.6.7 - get_fdb_entries() Integer Overflow

Linux 2.6.7 - get_fdb_entries() function is vulnerable to an integer overflow condition. This could be abused to force memory allocation of an attacker controlled size. Successful exploitation could allow arbitrary code execution.

Tuesday, November 28, 2006

MOKB-28-11-2006: Mac OS X shared_region_make_private_np() Memory Corruption

Mac OS X shared_region_make_private_np() system call fails to handle crafted user input, leading to an exploitable memory corruption condition. Unprivileged local users can abuse this issue in order to escalate privileges (via arbitrary code execution) or cause a denial of service.

Monday, November 27, 2006

MOKB-27-11-2006: Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption

Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command.

Sunday, November 26, 2006

Notes on MOKB-26-11-2006: otool affected as well

MOKB-26-11-2006 also exposes a vulnerability in the otool utility:

$ otool -f mach-o_bug_pagefault_univ_1
Fat headers
Segmentation fault

$ gdb /usr/bin/otool
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ... done

(gdb) r -d mach-o_bug_pagefault_univ_1
Starting program: /usr/bin/otool -d mach-o_bug_pagefault_univ_1
Reading symbols for shared libraries . done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00077000
0x00043585 in ?? ()
(gdb) bt
#0 0x00043585 in ?? ()
#1 0x00008598 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(gdb) info registers
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0x3ff3e 261950
esp 0xbffff850 0xbffff850
ebp 0xbffff858 0xbffff858
esi 0x76ff0 487408
edi 0x732 1842
eip 0x43585 0x43585
eflags 0x10246 66118
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) x/30x 0xbffff858
0xbffff858: 0xbffff8c8 0x00040118 0x0006e008 0x40000002
0xbffff868: 0x00000002 0xbffff8cc 0x00000000 0x00000002
0xbffff878: 0xbffff898 0x8fe0e25a 0x00000000 0x00000000
0xbffff888: 0x00000000 0x00000000 0x615f676e 0x00000002
0xbffff898: 0x00007373 0x79645f5f 0xffffffff 0xffffffff
0xbffff8a8: 0xffffffff 0xbebafeca 0x00000000 0x00000000
0xbffff8b8: 0x00000000 0x0003fddf 0x00000003 0xbffffc5e
0xbffff8c8: 0xbffff988 0x0003ff25

Mac OS X users and developers, beware (and be careful) about what you do with binaries. Especially when trying to analyze some "useless malware proof of concept"...

MOKB-26-11-2006: Mac OS X Universal Binary Loading Memory Corruption

Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in the fatfile_getarch2() function. Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries.

Saturday, November 25, 2006

MOKB-25-11-2006: Linux 2.6.x ReiserFS Sync Memory Corruption

The ReiserFS support code of Linux 2.6.x fails to properly handle crafted data structures, leading to an exploitable memory corruption condition when a sync is being done in a corrupted ReiserFS filesystem.