uncompiled.com

===================================================================
Mac OS X WebDAV kernel extension local denial-of-service
July 26, 2010
CVE-2010-1794
===================================================================

==Description==

“Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers.” [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
“mount_webdav” utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

“args” is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
“pa_socket_namelen” field. If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

==Notes on Disclosure==

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple’s management of security issues.
Local denial-of-service issues are by nature low impact – many
security teams do not regard these as security-relevant at all. I
believe the chances of exploitation of this in real life are
practically non-existent. Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations. Apple’s security team was
contacted prior to disclosure, and I’m sure they’ll incorporate a fix
in a future release.

==Solution==

The WebDAV kernel extension can be obtained online [2]. The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

— webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
}

/* Get the server sockaddr from the args */
+ if(args.pa_socket_namelen > NAME_MAX)
+ {
+ error = EINVAL;
+ goto bad;
+ }
+
MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
if (error)

==Credits==

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg () gmail com).

==References==

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/

Source

Apple antivirus company Intego has discovered a backdoor malware attack targeting Mac users.

Able to infect both PowerPC and newer Intel-based Macs thanks to being written as a universal binary, OSX.HellRTS.D sets out to take complete control of an infected machine, setting itself up as a server capable of doing pretty much what it wants. This will include, downloading software, spewing email, set up screen sharing, accessing files on the Mac, and copying anything it finds on the clipboard.

The company describes infection levels as currently being very low, but warns that the code is circulating on hacker forums, which will give criminals access to it. No threat vectors such as spam attachments are mentioned because none have so far been used, but an infected file seems the most likely attack method.

As with so many of the small number of Mac-specific malware attacks that come up from time to time, this one is a variant of an attack from 2004, the company said, which will sound quaint to Windows users hit by thousands of variants on most days.

Source

Apple has delivered its first Mac OS X security update of the year to close 12 vulnerabilities.

The Flash Player plug-in is getting the most work, as it suffers from seven known flaws, according to an advisory released Tuesday. The most serious of the bugs could result in malicious code execution if a user is tricked into viewing a specially crafted website.

In addition, the update corrects vulnerabilities in CoreAudio, CUPS, ImageIO, Image RAW and Open SSL. The latter suffers from a man-in-the-middle flaw that can enable an attacker to “capture data or change the operations performed in sessions protected by SSL.”

The update can be installed through the operating system’s Software Update preferences, described here, or from Apple Downloads.

Source

A widespread security vulnerability disclosed eight months ago is apparently still lurking in Mac OS X 10.5 and 10.6. A pair of security researchers have released a proof of concept exploit. Maksymilian Arciemowicz and ‘sp3x’ of SecurityReason.com have publicly disclosed a proof of concept exploit for a vulnerability in Mac OS X’s dtoa function that converts double-precision values to ASCII strings. They say they reported the issue eight months ago.

The proof of concept merely triggers a memory access error, but such buffer overflow conditions can sometimes be exploited to run arbitrary code. Although the issue has apparently been fixed in FreeBSD and OpenBSD, the researchers imply that the changes have not filtered through to Mac OS X, where it is said to be present in Leopard (10.5) and Snow Leopard (10.6). The issue is also said to have been present in NetBSD, Google Chrome, Firefox and other Mozilla projects, Opera, MatLab, and other pieces of software.

The researchers say it may also exist in the Sony PlayStation 3. Apple does not have a particularly good record when it comes to passing on fixes made to open source software incorporated in Mac OS X. One notable exception was the speedy release of an update for the BIND DNS server last August.

Source

Mac OS is the trademarked name for a series of graphical user interface-based operating systems developed by Apple Inc. (formerly Apple
Computer, Inc.) for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface. The original form of what Apple would later name the “Mac OS” was the integral and unnamed system software first introduced in 1984 with the original Macintosh, usually referred to simply as the System software.

Source