[转载]Darwin Kernel Vulnerability and Exploit

信息来源：irc.pulltheplug.org

"moderator: resending this mail since it appears to of got dropped, if not, please
ignore this message.

_,'| _.-''``-...___..--';)
/_ \'. __..-' , ,--...--'''
<\ .`--&#39;&#39;&#39; ` /&#39;
`-&#39;;&#39; ; ; ;
__...--&#39;&#39; ___...--_..&#39; .;.&#39;
fL (,__....----&#39;&#39;&#39; (,..--&#39;&#39; felinemenace.org

Program: Darwin Kernel 7.1
Impact: DoS, Possible local privilege escalation.
Discovered: 8th January 2005 by nemo -( nemo @ felinemenace.org )-
Writeup and exploits:

1) Background

Numerous bugs exist in the Darwin Kernel used by Mac OSX 10.3
Some of the bugs we investigated exist due to lack of input validation in the mach-
o
loader.

2) Description

In the file bsd/kern/mach_loader.c the mach-o header is parsed and for the most part
each field is trusted to be acceptable.

In the mach-o loader code (parse_machfile()) ncmds and offset are both declared as

signed integers, however the appropriate structs used to read from the file are
unsigned.
After a little investigation a DoS was quickly written to set ncmds to -1.

ncmds = header->ncmds;
while (ncmds--) {

The attached code will cause a denial of service on MacOSX <= 10.3.7

3) Notes
During our audit of the Darwin Kernel many bugs stood out, however we have not
had time to follow through on most of them. Something that caught our attention
was the misuse of the copyinstr() command. This function will not force a NULL
character to be appended to the string copied in, however it seems in many cases
the size passed to the function doesn&#39;t take this into account.
Unfortunately, as security goes, its all about who posts first.
http://www.immunitysec.com/downloads/nukido.pdf

4) Vendor status/notes/fixes/statements
Apple have been notified about this bug.

5) Exploit
http://www.eviloctal.com/forum/read.php?tid=7030