Apple HFS+ Information Disclosure Vulnerability
| Release Date | 2011-03-22 |
| Application | Apple OS X kernel (XNU) |
| Versions | All versions <= xnu-1504.7.4 |
| Severity | Medium |
| Discovered by | Dan Rosenberg <drosenberg {at} vsecurity.com> |
| Vendor Status | Patch Released [2] |
| CVE Candidate | CVE-2011-0180 |
| Reference | Original Advisory |
Product Description
From [1]:
"Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid, UNIX-based foundation that is engineered for stability, reliability, and performance. The kernel environment is built on top of Mach 3.0 and provides high-performance networking facilities and support for multiple, integrated file systems."
Vulnerability Overview
On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure.
Vulnerability Details
Users may interact with the filesystem using the standard ioctl interface.
HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to
read raw data from an HFS+ filesystem. The ioctl intends to ensure that this
data is restricted to the first 1024 bytes, where bootstrap information is
stored. However, due to an integer overflow in the code that attempts to
enforce this restriction, it is possible for an unprivileged user to use this
ioctl to read large portions of filesystem data outside of this byte range,
leading to an information disclosure vulnerability.
The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:
if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
return EINVAL;
If a user provides values for the fbt_offset and fbt_length members such that
their sum overflows and wraps around to an integer less than 1024, portions of
filesystem data outside the intended range will be read and returned to the
user.
Proof-of-Concept Exploit
VSR has developed a proof-of-concept exploit [3] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the integer overflow to read arbitrary amounts of filesystem data at a negative offset from the end of the filesystem.
Versions Affected
Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but review of older source code suggests that all versions of OS X may be affected.
Vendor Response
The following timeline details Apple's response to the reported issues:
| 2010-07-01 | Apple was provided a draft advisory |
| 2010-07-02 | Apple acknowledges receipt of advisory |
| 2010-07-22 | Request for confirmation of issue |
| 2010-07-25 | Apple confirms issue under investigation |
| 2010-09-02 | Request for status update |
| 2010-09-02 | Apple confirms fix is being tested |
| 2010-10-13 | Request for status update |
| 2010-10-14 | Apple confirms fix is planned for undetermined date |
| 2010-11-16 | Request for status update |
| 2010-11-16 | Apple confirms ship date is set for early 2011 |
| 2011-01-18 | Request for status update |
| 2011-01-18 | Apple confirms ship date for early April |
| 2011-03-21 | Apple publishes fix |
Recommendation
Apply the fix provided by Apple's OS X security update [2].
Common Vulnerabilities and Exposures (CVE) Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2011-0180 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
References
| 1. | Darwin and Core Technologies http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html |
| 2. | Apple Security Update 2011-001 http://support.apple.com/kb/HT4581 |
| 3. | HFS+ F_READBOOTSTRAP information disclosure exploit http://www.vsecurity.com/download/tools/hfs-dump.c |
This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure practices.
Copyright 2011 Virtual Security Research, LLC. All rights reserved.
