[VIM] BID:20031 Apple Mac OS X KExtLoad Format String Weakness [CVE-2004-1398]
mattmurphy at kc.rr.com
Mon Sep 18 14:00:08 EDT 2006
I don't see how this is really a vulnerability, or even a security issue.
1) KExtLoad is not setuid root -- successful exploitation of this
issue results in the ability to execute arbitrary code as the user
2) In order to exploit this against a root process, the attacker needs
to be able to directly specify a path to a kernel extension -- which
is probably game over anyway.
It seems like the problem here is that we have a setuid binary which
is loading kernel extensions based on paths specified in user input.
Once you can talk an application into loading a kernel module for you,
the system is pretty well hosed.
Is there something I'm missing?
On 9/18/06, Heinbockel, Bill <heinbockel at mitre.org> wrote:
> In the Netragard Full-Disclosure post:
> FULLDISC:20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE
> COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7
> HELPER APP - LOCAL ROOT COMROMISE]
> 1-) kextload format string vulnerability.
> Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the
> vulnerability. The code which enables this format string
> vulnerability can be found in "prelink.c" and reads as
> fprintf(stderr, kext_path);
> 4-) Example of kextload format string vulnerability affecting
> ~ TDIXSupport
> netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
> kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\
> 78682062756e646c65/TDIXController.kext: no such bundle file exists
> can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\
> cess/permissions) (run kextload on this kext with -t for diagnostic o\
> appears to actually be a duplicate report of CVE-2004-1398:
> Format string vulnerability in TDIXSupport in Roxio Toast on Mac OS X
> may allow local users to execute arbitrary code via certain inputs that
> contain format strings.
> BUGTRAQ:20041214 Possible local root vulnerability in Roxio Toast on
> Mac OS X
> William Heinbockel
> Infosec Engineer
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> heinbockel at mitre.org
More information about the VIM