MOAB-11-01-2007: Apple DMG UFS byte_swap_sbin() Integer Overflow Vulnerability

The byte_swap_sbin() function, one of the UFS byte swapping routines (this code isn't present in FreeBSD and it's Mac OS X XNU-specific; used for compatibility of filesystem streams between little and big-endian systems) is affected by a integer overflow vulnerability, leading to an exploitable denial of service condition.

For further information:

• Apple DMG UFS byte_swap_sbin() Integer Overflow Vulnerability
• Proof of concept: MOAB-11-01-2007.dmg.gz

You may have noticed some changes. As KF would say, "we are more respectable now". The issues will still feature hilarious artwork by talented fellow GC. Enjoy.

MOAB-10-01-2007: Apple DMG UFS ffs_mountfs() Integer Overflow Vulnerability

The ffs_mountfs() function, part of the UFS filesystem handling code (shared between FreeBSD and Mac OS X XNU) is affected by an integer overflow vulnerability, leading to an exploitable denial of service condition and potential arbitrary code execution.

For further information:

• Apple DMG UFS ffs_mountfs() Integer Overflow Vulnerability
• Proof of concept: MOAB-10-01-2007.dmg.gz

Note: Apple requested confirmation more than one month ago, when the original FreeBSD UFS vulnerabilities got published in the MoKB. This serves as confirmation that the issues obviously exist in both XNU and FreeBSD. It wasn't that difficult to verify, given that the UFS code is exactly the same in both.

We'll be releasing kernel-related issues for some time (mixed with remote user-land issues, just to keep it fun). Mostly DMG related flaws that didn't make it to the MoKB schedule.