Mac OS X: 1599 giorni di vulnerabilità!!

clipped from butnotyet.tumblr.com The Story of a Simple and Dangerous Kernel Bug Among other things, the update for Mac OS X 10.5.8 also fixed an interesting kernel bug related to the way the fcntl call is handled. The bug was identified as CVE-2009-1235 and the first exploit seems to be from June 2008. The variant that I discovered is much simpler and is, as far as I know, the one that really convinced Apple to solve the issue. :-) The oldest kernel I was able to test the problem was Darwin 8.0.1 which corresponds to Mac OS X 10.4 “Tiger”. The Tiger was announce in June 28, 2004 but was released to the public on April 29, 2005 and it was advertised as containing more than 200 new features. The bug was closed on August 5, 2009 so the number of days the vulnerability was alive was 1599 days (4 years and 3 months). #include <fcntl.h> #include <sys/ioctl.h> int main() { fcntl(0, TIOCGWINSZ, 0); return 0; }

Pare che la Apple abbia finalmente chiuso un tremendo bug di sistema che permetteva, in una sola riga di programma, di iniettare codice malevolo eseguito in modalità superuser.

Bastava dimensionare una finestra a determinate dimensioni e poi eseguire la fcntl con terzo parametro uguale a zero. Il terzo parametro è un indirizzo. Dato che il kernel non controllava la validità dell'indirizzo (cioè quello zero), ci andava a scrivere e... ZOT!

Per la cronaca, alla Apple bastava inserire in Mac OS X una sola riga, del tipo: if(buffer==NULL) return EINVAL;

Dalla prima segnalazione alla correzione sono passati quattro anni e tre mesi (più esattamente, 1599 giorni). Apple colabrodo!