[TKADV2007-001] Mac OS X TIOCSETD IOCTL Kernel Memory Corruption Vulnerability Nov 15 2007 07:43PM
Tobias Klein (tk trapkit de)
Hash: SHA1

Advisory: Mac OS X TIOCSETD IOCTL Kernel
Memory Corruption Vulnerability
Advisory ID: TKADV2007-001
Revision: 1.0
Release Date: 2007/11/15
Last Modified: 2007/11/15
Date Reported: 2007/03/19
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Mac OS X xnu kernel <= version
8.10.1 (xnu-792.22.5~1)
Mac OS X v10.4 through v10.4.10,
Mac OS X Server v10.4 through v10.4.10
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.apple.com
Vendor Status: Vendor has released an updated version
CVE-ID: CVE-2007-4686
Patch development time: 241 days

Vulnerability details:

The xnu kernel of Mac OS X contains a vulnerability in the code that
handles TIOCSETD ioctl requests. Exploitation of this vulnerability
can result in:

1) local execution of arbitrary code at the kernel level (complete system
compromise), or

2) local denial of service attacks (system crash due to a kernel panic)

The issue can be triggered by sending a specially crafted ioctl request.

Technical description:

Kernel source file: bsd/kern/tty.c
(from http://www.opensource.apple.com/darwinsource/10.4.8.x86/xnu-792.13.8/)

822 int
823 ttioctl(register struct tty *tp,
824 u_long cmd, caddr_t data, int flag,
825 struct proc *p)
826 {


1085 bcopy(t->c_cc, tp->t_cc, sizeof(t->c_cc));
1086 splx(s);
1087 break;
1088 }
1089 case TIOCSETD: { /* set line discipline */
1090 register int t = *(int *)data; <--- (1)
1091 dev_t device = tp->t_dev;
1093 if (t >= nlinesw) <--- (2)
1094 return (ENXIO);
1095 if (t != tp->t_line) {
1096 s = spltty();
1097 (*linesw[tp->t_line].l_close)(tp, flag);
1098 error = (*linesw[t].l_open)(device, tp); <--- (3)
1099 if (error) {
1100 (void)(*linesw[tp->t_line].l_open)(device, tp);
1101 splx(s);
1102 return (error);
1103 }
1104 tp->t_line = t;
1105 splx(s);
1106 }
1107 break;
1108 }

In line 1090 the user supplied "data" of the type caddr_t (char *) gets
stored in the variable "t" of the type signed int (see (1)). Then in line
1093 the value of "t" is compared with "nlinesw". As "data" is supplied
by the user it is possible to provide a string value >= 0x80000000. If so,
"t" gets a negative value due to the type conversion error (see (1)) and
the check in line 1093 will always be passed (see (2)). In line 1098 the user
supplied value "t" is used to reference and call "l_open". This leads to full
control of the kernel execution flow.

Corresponding assembler code snippet:

__text:00356C08 loc_356C08:
__text:00356C08 mov eax, [ebp+arg_8]
__text:00356C0B mov ebx, [eax] <--- (1)
__text:00356C0D mov edx, [ebp+arg_0]
__text:00356C10 mov edx, [edx+64h]
__text:00356C13 mov [ebp+var_58], edx
__text:00356C16 cmp ebx, ds:457880h <--- (2)
__text:00356C1C jl short loc_356C28
__text:00356C1E mov esi, 6
__text:00356C23 jmp loc_356F70
__text:00356C28 ; --------------------------------
__text:00356C28 loc_356C28:
__text:00356C28 mov ecx, [ebp+arg_0]
__text:00356C2B cmp ebx, [ecx+60h]
__text:00356C2E jz loc_356633
__text:00356C34 call _spltty
__text:00356C39 mov edi, eax
__text:00356C3B mov esi, [ebp+arg_0]
__text:00356C3E mov eax, [esi+60h]
__text:00356C41 shl eax, 5
__text:00356C44 mov edx, [ebp+arg_C]
__text:00356C47 mov [esp+0B8h+var_B4], edx
__text:00356C4B mov [esp+0B8h+var_B8], esi
__text:00356C4E call ds:off_4578A4[eax]
__text:00356C54 mov eax, ebx <--- (3)
__text:00356C56 shl eax, 5 <--- (4)
__text:00356C59 mov [esp+0B8h+var_B4], esi
__text:00356C5D mov ecx, [ebp+var_58]
__text:00356C60 mov [esp+0B8h+var_B8], ecx
__text:00356C63 call ds:_linesw[eax] <--- (5)

(1) The user supplied data is copied into EBX
(2) EBX is compared with nlinesw
(3) The user supplied data in EBX is copied into EAX
(4) Slightly modification of EAX
(5) The user supplied value in EAX is used as a reference in this call

Proof of Concept:

Due to the severity of this issue no proof of concept exploit code
will be released.


Upgrade to Mac OS X (Server) v10.4.11 or apply the Security Update 2007-008.



2007/03/19 - Vendor notified
2007/03/19 - Automated reply from vendor
2007/03/26 - Vendor asks for more details
2007/04/01 - Provided vendor with more details
2007/04/04 - Status update from vendor
2007/04/06 - Vendor confirms the vulnerability
2007/05/11 - Status update request
2007/06/22 - Status update from vendor
2007/11/14 - Update released by the vendor
2007/11/15 - Full technical details released to general


Vulnerability found and advisory written by Tobias Klein.


[1] http://docs.info.apple.com/article.html?artnum=307041
[2] http://www.trapkit.de/advisories/TKADV2007-001.txt


Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key:


Copyright 2007 Tobias Klein. All rights reserved.

Version: PGP 8.1


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus