Monday, 27 November 2006

Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption

Vendor:: Mac
Application:: OS X
Disclosed:: 27-11-06
Description:: Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command, and can be abused by unprivileged users by opening an AppleTalk socket and issuing the ioctl control command with a crafted data structure.
Author:: LMH - discovery, MoKB release, debugging.
Exploit:: The following proof of concept / exploit can be used to reproduce the bug (requires Xcode/GNU GCC compiler to be installed): MOKB-27-11-2006.c (x86)
gcc MOKB-27-11-2006.c -o  MOKB-27-11-2006 && ./MOKB-27-11-2006
It's been tested on an up-to-date (27-11-2006) Mac OS X installation, running on an
Intel "shipping" Mac (x86).

alkali:/tmp lmh$ $ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-a16a4845
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
[...]

This GDB was configured as "i386-apple-darwin"...
#0 Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770
Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines.
(gdb) source /Volumes/KernelDebugKit/kgmacros
Loading Kernel GDB Macros package. Type "help kgm" for more info.

(gdb) paniclog
panic(cpu 1 caller 0x001A3135): Unresolved kernel trap (CPU 1, Type 14=page fault), registers:
CR0: 0x80010033, CR2: 0x00000000, CR3: 0x00d72000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x00000000, ECX: 0x000000f4, EDX: 0x000000f5
CR2: 0x00000000, EBP: 0x00000000, ESI: 0x00000000, EDI: 0x00000000
EFL: 0x00010206, EIP: 0x00000000, CS: 0x00000004, DS: 0x0000000c

MORE...
Links::
Mac OS X XNU source code for AppleTalk

Sunday, 26 November 2006

Mac OS X Universal Binary Loading Memory Corruption

Vendor:: Mac
Application:: OS X
Disclosed:: 26-11-06
Description:: Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in the fatfile_getarch2() function. Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries.
Author:: LMH - discovery, MoKB release, debugging.
Exploit:: The following Mach-O 'Universal' binary can be used to reproduce the bug: MOKB-26-11-2006.bz2
bunzip2 MOKB-26-11-2006.bz2 && ./MOKB-26-11-2006

yssupstae:/tmp evets$ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-79aa141d
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)

[...]
This GDB was configured as "i386-apple-darwin"...
#0 Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770
Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines.
(gdb) source /Volumes/KernelDebugKit/kgmacros
Loading Kernel GDB Macros package. Type "help kgm" for more info.
(gdb) paniclog
panic(cpu 0 caller 0x001A3135): Unresolved kernel trap (CPU 0, Type 14=page fault), registers:
CR0: 0x80010033, CR2: 0x2524200c, CR3: 0x00d72000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x3fffff35, ECX: 0x40000002, EDX: 0x00000000
CR2: 0x2524200c, EBP: 0x13fcb8a8, ESI: 0x2524200c, EDI: 0x00ffffff
EFL: 0x00010206, EIP: 0x00369de4, CS: 0x00000004, DS: 0x02ec000c

MORE...

Links::
Mac OS X ABI Mach-O File Format Reference

Monday, 6 November 2006

Windows kernel GDI local privilege escalation

Vendor:: Microsoft
Application:: Windows
Disclosed:: 06-11-06
Description:: A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. This would allow a local user to escalate privileges, gaining full control of the system.
Author:: Cesar Cerrudo - Contributed proof of concept and information, found vulnerability.
LMH - MoKB release, testing, debugging information.
Exploit:: Cesar's explanation:
Microsoft Windows GDI Kernel data structures are mapped on a global shared memory section that is created automatically on any windows process that uses GDI objects (process with a GUI, etc.), this section is mapped as read-only, but any process can re-map it as read-write (by default this kernel shared section has read, write, execute permissions), thus processes can write to this section overwriting the GDI kernel data structures, causing a denial of service (BSoD)/ crashing Windows. If certain selected data structures are overwritten with specific data it is possible to perform arbitrary code excecution. Affected versions:
  • Microsoft Windows 2000
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Service Pack 2

Not affected:

  • Microsoft Windows Server 2003
  • Microsoft Windows Vista (tested with beta 2)
Related debugging information::
typedef struct
{
DWORD pKernelInfo;
WORD ProcessID;
WORD _nCount;
WORD nUpper;
WORD nType;
DWORD pUserInfo;
} GDITableEntry;

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Windows 2000 Kernel Version 2195 UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
Source Code
Links::
Proof of concept:: GDIKernelPoC.cpp