-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************** Netragard, L.L.C Advisory* *******************
~ Strategic Reconnaissance Team
~ ------------------------------------------------
~ http://www.netragard.com -- "We make I.T. Safe."
[About Netragard]
- ----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are fortified
by continual vulnerability research and development. This ongoing
research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals and
not those of automated scanners and tools. This advisory is the product
of research done by the Strategic Reconnaissance Team.
[Official URL]
- ----------------------------------------------------------------------
http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt
[Advisory Information]
- ----------------------------------------------------------------------
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20060822
Product Name : Apple OSX
Product Version : ALL
Helper Application : Roxio Toast 7 Titanium
Vendor Name : Apple Computer Corporation
Type of Vulnerability : Local Root Compromise (via kextload)
Effort : Easy
Operating System : OSX
- ----------------------------------------------------------------------
Other : A vulnerability exists in OSX kexload program
~ which affects the security of Roxio Toast 7
and may affect
other applications.
This advisory contains two vulnerabilities in
the kext load
program:
1-) Format String Vulnerability
2-) Buffer Overflow Vulnerability
[Product Description]
- ----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."
- --http://www.roxio.com--
[Technical Summary]
- ----------------------------------------------------------------------
Roxio toast executes the kextload command with root privileges. The
kextload command contains two vulnerabilities which can be exploited
by a local user to gain local root access to the system. This advisory
outlines both issues.
The kextload program is used to explicitly load kernel extensions
(kexts), validate them to see that they can be loaded by other
mechanisms, such as kextd(8), and to generate symbol files for
debugging the kext in a running ker-nel. In order to load a kext into
the kernel kextload must be invoked as the superuser; for all other
uses it can be invoked by any user.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!Important Note: A user requires root to run kextload properly or!!
!! kextload needs to be run by a helper application !!
!! with root privileges.
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[Technical Details]
- ----------------------------------------------------------------------
1-) kextload format string vulnerability.
Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the
vulnerability. The code which enables this format string
vulnerability can be found in "prelink.c" and reads as
fprintf(stderr, kext_path);
netragard-test$ sudo kextload %x.%x.%x.%x.%x.%x
kextload: /Users/test/90b4b6ca.1c.69737473.65206578.68206275.6e646c65:\
no such bundle file exists
can't add kernel extension %x.%x.%x.%x.%x.%x (file access/permissions\
) (run kextload on this kext with -t for diagnostic output)
2-) Buffer Overflow Vulnerability
Executing kextload `perl -e 'print "A" x 1022'` causes a
buffer overflow. We can see that critical memory segments
have been overwritten by "A" in the example below.
(A is represented as 0x41)
(gdb) r `perl -e 'print "A" x 1023'`
Starting program: /sbin/kextload `perl -e 'print "A" x 1023'`
memory allocation or string conversion error
Program exited with code 01.
(gdb) r `perl -e 'print "A" x 1022'`
Starting program: /sbin/kextload `perl -e 'print "A" x 1022'`
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x41414149
0x90bf37a4 in _KXKextManagerLogMessageAtLevel ()
3-) How does this affect roxio toast 7 (and any other application that
~ calls kextload)?
When Roxio Toast 7 calls the kextload command it uses root privileges.
When an attacker successfully attacks the kextload vulnerability using
Roxio Toast 7 as the helper application the attacker is able to steal
the root privileges and gain root level access to the system.
4-) Example of kextload format string vulnerability affecting
~ TDIXSupport
netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\
78682062756e646c65/TDIXController.kext: no such bundle file exists
can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\
cess/permissions) (run kextload on this kext with -t for diagnostic o\
utput)
5-) Example kextload buffer overflow vulnerability affecting
~ TDIXsupport
netragard-test:$ sudo ktrace -di ./TDIXSupport `perl -e 'print "A" x \
1000'`/TDIXController.kext
...
1067 security_authtra CALL sendto(0x7,0xbfffde14,0x36,0,0,0)
1067 security_authtra GIO fd 7 wrote 54 bytes
~ "<37>Jul 8 11:31:58 authexec: executing /sbin/kextload"
1067 security_authtra RET sendto 54/0x36
1067 security_authtra CALL execve(0xbfffec61,0xbfffebb4,0x300af0)
1067 security_authtra NAMI "/sbin/kextload"
...
1067 kextload PSIG SIGSEGV SIG_DFL
1066 TDIXSupport GIO fd 7 read 0 bytes
~ ""
1066 TDIXSupport RET read 0
1066 TDIXSupport CALL close(0x7)
1066 TDIXSupport RET close 0
1066 TDIXSupport CALL exit(0xe00002c0)
[Proof Of Concept]
- ----------------------------------------------------------------------
Buffer OVerflow Exploit â being developed
Format String Exploit - being developed
[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified.
[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFFCIX2Qwbn1P9Iaa0RArDyAKCfulP2zbivK1cf2EiqRw60c+QDOwCgmPbH
mQGLEyXrmjPbNEpt4yv5Cp0=
=J+0u
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
