Have an account? Log in to leave your comments!
journal: mac
Oops! Flaws in OS X disk image handler found [UPDATED x2: Secunia downgrades threat]
There’s a new bug uncovered and it’s a doozy! Correction, there are two closely related bugs; both are doozies.
The Month of Kernel Bugs site (MoKB for short) discovered a flaw in the way Mac OS X handles “corrupted UDTO HFS+ image structures” (that is to say, disk images with formatting issues; MoKB uses the example of bad sectors), which can lead to a denial of service. MoKB notes that “Although it hasn’t been checked further, memory corruption is present under certain conditions (in this particular case, unlikely to allow arbitrary code execution.”
The other was discovered yesterday, and also has to deal with disk image handling. MoKB says, “Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users.” Secunia considers this flaw to be ”highly critical."Okay, that’s not good. [UPDATE: Secunia has downgraded the flaw to Not Critical after developer Alastair Houghton further analyzed the bug. Read more about this issue.]
Proof-of-concepts are available for both if you’re curious. Being the intrepid sort, I decided to test the two proofs-of-concept on my secondary machine, my iBook G4. I recommend against trying the proof-of-concepts yourself unless you have a secondary machine, have no unsaved work open, or are slightly amused by watching your otherwise-stable Mac temporarily become a useless pile of electronics. It won’t infect any data, but it will be annoying. I know this information is available elsewhere, but I have little else to do on a Tuesday night the week of Thanksgiving than purposely crash a Mac.
The first one I ran was the UDTO disk image denial of service bug. Result? Kernel panic. This is running a fully up-to-date install of Mac OS X 10.4.8 using Safari with the “Open ‘Safe’ files after downloading” option turned on. If you turn this option off, download the file, then double-click it in the Downloads list (or the Finder), you will still get the kernel panic after manually opening the file. Delving into the kernel panic log, you’ll see something like this:
Wed Nov 22 00:24:11 2006
panic(cpu 0 caller 0x000EBAA4): mount: lost mount
Latest stack backtrace for cpu 0:
Backtrace:
0x00095138 0x00095650 0x00026898 0x000EBAA4 0x000EB780 0x002AAE28 0x000AB930 0x266C743B
Proceeding back via exception chain:
Exception state (sv=0x32AE3780)
PC=0x90046CEC; MSR=0x0000D030; DAR=0x26DD7040; DSISR=0x40000000; LR=0x00002C28; R1=0xBFFFF870; XCP=0x00000030 (0xC00 - System call)
Kernel version:
Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC
Moving onto the UDIF image memory corruption bug…
Result? You guessed it, a kernel panic:
Wed Nov 22 00:37:43 2006
panic(cpu 0 caller 0x00099C74): mapping_make: attempt to map unaligned vaddr - pmap = 00366000, va = 000000003305CA3D, cfg = 0
Latest stack backtrace for cpu 0:
Backtrace:
0x00095138 0x00095650 0x00026898 0x00099C74 0x00098BB8 0x00062930 0x002D8438 0x002D81B8
0x002D7D38 0x002D9320 0x33073230 0x000A9314
Kernel loadable modules in backtrace (with dependencies):
com.apple.AppleDiskImageController(110)@0x3305e000
dependency: com.apple.iokit.IOStorageFamily(1.5)@0x49b000
Proceeding back via exception chain:
Exception state (sv=0x32E55000)
PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown)
Kernel version:
Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC
MoKB has more on both bugs, including debugging information.
A good first line of defense would be to make sure the “Open ‘safe’ files after downloading” option in Safari is off. As I mentioned before, however, that does not make you invulnerable since it is an OS bug, not a Safari bug. Even if you launch a bad disk image from the Finder your machine will go down. As for avoiding this problem altogether, I have no idea, short of not downloading disk images until Apple releases a fix (or at least using good judgement when downloading). Running first aid in Disk Utility also crashes the system, so forget trying to check for corrupted or malformed disk images that way. The jury is still out on whether antivirus would do any good to protect against such problems, since it isn’t malware in the truest form but an OS X bug exploit (though I assume antivirus would be pretty much useless).
As always, surf safely--or at least as safely as possible.
UPDATE It seems that this bug may not be that new after all:
Yes, it really is possible to panic your Mac by mounting a dmg file. Those of us who work with the filesystem have known that this is possible for ages; I know Ive reported at least one instance of this problem to Apple in the past.
Article originally published 21 November 2006; Last updated 2 December 2006, 12:46 AM PST
More Info
 |
6 | 2502 |
| Nick | comments | views |
thinkback
It’s kind of weird. Nearly everyone I know that has seen this has downloaded the proof of concept to see if it did any other evil. I wonder how many windows users vs mac users download proof of concepts “just because”. i was surprised how many people willing downloaded it.
But yeah, turning off “open safe files” doesn’t protect you in the least. Since you downloaded it, you’re likely to open it in any case. Heck, even if it was just downloaded automatically, chances are you’re going to double click it in the finder as soon as you see it in your downloads folder just because you’re wondering wtf it is.
| Rosyna | Nov. 23, 2006 | |
| 1:14 am |
I’ve had an intermittant issue where DVDs don’t mount in the finder (no icon) and are not seen by DVD player despite showing up in disk utility. This always seemed to follow opening a .dmg file to install a software update. The only solution was a reboot - a logout isn’t enough.
I wonder if this bug is related?
What a bunch of crap. No exploit has been proven.
“leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users.” Month of Kernel Bugs
http://projects.info-pull.com/mokb/MOKB-20- 11-2006.html
The report says “potential” not an actual or PROVEN exploit. They are guessing as usual and everyone falls for it.
Over and over again eveyone falls for the hype.
Yes, I’m pretty certain I quoted those exact words from MoKB.
I fail to see where I fall into the hype. With the exception of where I mention Secunia, I construe it as a bug--in fact, nowhere do Ieven mention the word “security.”
No. Hype is pointing to this and saying that the Mac is losing its edge (even though security holes are inevitable) and that we Mac users are now doomed to virus problems on the scale of Windows’ (even though we’re a small slice of the market and really have yet to see anything more than proofs-of-concepts in the wild).
| Nick | Nov. 23, 2006 | |
| 2:06 pm |
1.
Surf safely? Don’t you mean, “Don’t download and run proof of concepts”?