Apple HFS+ Information Disclosure Vulnerability

Release Date 2011-03-22
Application Apple OS X kernel (XNU)
Versions All versions <= xnu-1504.7.4
Severity Medium
Discovered by Dan Rosenberg <drosenberg {at} vsecurity.com>
Vendor Status Patch Released [2]
CVE Candidate CVE-2011-0180
Reference Original Advisory

Product Description

From [1]:

"Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid, UNIX-based foundation that is engineered for stability, reliability, and performance. The kernel environment is built on top of Mach 3.0 and provides high-performance networking facilities and support for multiple, integrated file systems."

Vulnerability Overview

On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure.

Vulnerability Details

Users may interact with the filesystem using the standard ioctl interface. HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to read raw data from an HFS+ filesystem. The ioctl intends to ensure that this data is restricted to the first 1024 bytes, where bootstrap information is stored. However, due to an integer overflow in the code that attempts to enforce this restriction, it is possible for an unprivileged user to use this ioctl to read large portions of filesystem data outside of this byte range, leading to an information disclosure vulnerability.

The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:

if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
    return EINVAL;

If a user provides values for the fbt_offset and fbt_length members such that their sum overflows and wraps around to an integer less than 1024, portions of filesystem data outside the intended range will be read and returned to the user.

Proof-of-Concept Exploit

VSR has developed a proof-of-concept exploit [3] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the integer overflow to read arbitrary amounts of filesystem data at a negative offset from the end of the filesystem.

Versions Affected

Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but review of older source code suggests that all versions of OS X may be affected.

Vendor Response

The following timeline details Apple's response to the reported issues:

2010-07-01 Apple was provided a draft advisory
2010-07-02 Apple acknowledges receipt of advisory
2010-07-22 Request for confirmation of issue
2010-07-25 Apple confirms issue under investigation
2010-09-02 Request for status update
2010-09-02 Apple confirms fix is being tested
2010-10-13 Request for status update
2010-10-14 Apple confirms fix is planned for undetermined date
2010-11-16 Request for status update
2010-11-16 Apple confirms ship date is set for early 2011
2011-01-18 Request for status update
2011-01-18 Apple confirms ship date for early April
2011-03-21 Apple publishes fix

Recommendation

Apply the fix provided by Apple's OS X security update [2].

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2011-0180 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.


References

1. Darwin and Core Technologies
http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html
2. Apple Security Update 2011-001
http://support.apple.com/kb/HT4581
3. HFS+ F_READBOOTSTRAP information disclosure exploit
http://www.vsecurity.com/download/tools/hfs-dump.c

This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure practices.


Copyright 2011 Virtual Security Research, LLC. All rights reserved.

2014-09-17
Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com