Wednesday, January 10, 2007

MOAB-10-01-2007: Apple DMG UFS ffs_mountfs() Integer Overflow Vulnerability

The ffs_mountfs() function, part of the UFS filesystem handling code (shared between FreeBSD and Mac OS X XNU) is affected by an integer overflow vulnerability, leading to an exploitable denial of service condition and potential arbitrary code execution.

For further information:
Note: Apple requested confirmation more than one month ago, when the original FreeBSD UFS vulnerabilities got published in the MoKB. This serves as confirmation that the issues obviously exist in both XNU and FreeBSD. It wasn't that difficult to verify, given that the UFS code is exactly the same in both.

We'll be releasing kernel-related issues for some time (mixed with remote user-land issues, just to keep it fun). Mostly DMG related flaws that didn't make it to the MoKB schedule.


Peter said...

So far, this project has proven very necessary. Back in 94-98 everyone did the same with Linux and Solaris.

The fact that people are STILL writing codes containing simple buffer and integer overflows in 2006/7 is a disgrace.

So is it disregard for security vs cash flow? Or is this a continuance of failure at the universities (ie: focus on high level languages) ?

Peter said...

Well said. I would have to agree.

The problem we will be seeing soon is that many low-level issues will come up (such as the huge advances we need to make in parallel filesystems or [insert next device here, which will suck because the software sucks]). Its begining to look like there wont be many firefighters left to put fires out. Every student coming out of most colleges (exclude MIT, UCB, and so on) can write in C++ (some), Java, and pick your fav scripting language (whats the fanboy language these days? Python? Ruby?). You can forget C, and ASM.

I dont know where this complete abstraction mentality came from. Microsoft? Apple? Either way, I think it was taken a bit too literally. It must have come from California (BSD, LSD, and abstraction ;) ).

drama said...

Am I understanding correctly?

According to secunia for MOAB-10
"NOTE: This is only remotely exploitable via the Safari web browser when the "opening safe files after downloading" option is enabled."

So in safari, if we had open safe files checked, this means that upon visiting a website, a dmg could be forced downloaded to computer and mounted.

If open safe files is unchecked, you would need to, after the download is complete, mount the dmg yourself making this a local exploit since your interaction is required to mount dmg?