VAR-201311-0355

Vulnerability from variot - Updated: 2023-12-18 11:11

Apple Mac OS X 10.9 allows local users to cause a denial of service (memory corruption or panic) by creating a hard link to a directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0105. Exploiting this issue allows local, unprivileged users to crash the affected system, denying further service to legitimate users. MacOSX/XNU HFS Multiple Vulnerabilities Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/

===================

On November 8th, I've reported vulnerability in hard links for HFS+ (CVE-2013-6799)

http://cxsecurity.com/issue/WLB-2013110059

The HFS+ file system does not apply strict privilege rules during the creating of hard links. The ability to create hard links to directories is wrong implemented and such an issue is affecting os versions greater or equal to 10.5. Officially Apple allows you to create hard links only for your time machine. To create N hard links, you must use a special algorithm which creates links from the top of the file system tree. This means that first we create the directory structure and once created we need to go from up to down by creating hard links. The last time I've mentioned of the possibility of a kernel crash by performing the 'ls' command. This situation occurs in conjunction with the 'find' application.

Commands such as 'ls' behave in unexpected ways. Apple are going find this crash point in code. To create huge hard links structure, use this code

http://cert.cx/stuff/l2.c


h1XSS:tysiak cx$ uname -a Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64 h1xss:tysiak cx$ gcc -o l2 l2.c h1xss:tysiak cx$ ./l2 1000 ... h1xss:tysiak cx$ cat loop.sh

!/bin/bash

while [ 1 ] ; do ls -laR B > /dev/null done

h1xss:tysiak cx$ sh ./loop.sh ls: B: No such file or directory ls: X1: No such file or directory ... ls: X8: Bad address ls: X1: Bad address ls: X2: Bad address ... ls: X8: No such file or directory ./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null ./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null ls: B: No such file or directory ls: X1: No such file or directory ls: X2: No such file or directory ... ls: X1: No such file or directory ls: X2: No such file or directory


...

Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for ls[9418] version 230 to /Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash


That what we can see here is unexpected behavior of LS command. LS process is also affected for infinite loop (recursion?).


h1xss:tysiak cx$ ps -fp 8822 UID PID PPID C STIME TTY TIME CMD 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B


or used parallely with (find . > /dev/null) command cause a kernel crash


Mon Mar 31 20:30:41 2014 panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838, type 13=general protection, registers: CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c, CR4: 0x00000000001606e0 RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000, RDX: 0x0000000000000000 RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018, RDI: 0xffffff802f23bcd0 R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c, R11: 0x0000000000000f92 R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0, R15: 0xffffff802f26e960 RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU: 0x0

Backtrace (CPU 0), Frame : Return Address 0xffffff811eee8c50 : 0xffffff8004422fa9

BSD process name corresponding to current thread: ls

XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system. We can try to see HFS implementation code. Let's start static code analysys using cifrex.org tool!

-1.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c

Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c

--- hfs_vfsops.c ---------------------------- / * HFS filesystem related variables. / int hfs_sysctl(int name, __unused u_int namelen, user_addr_t oldp, size_t oldlenp, user_addr_t newp, size_t newlen, vfs_context_t context) { ... if ((newlen <= 0) || (newlen > MAXPATHLEN)) return (EINVAL);

    bufsize = MAX(newlen * 3, MAXPATHLEN);
    MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);
    if (filename == NULL) { <=====================================

filename CHECK error = ENOMEM; goto encodinghint_exit; } MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK); if (filename == NULL) { <====================================== double CHECK? error = ENOMEM; goto encodinghint_exit; }

    error = copyin(newp, (caddr_t)filename, newlen);
    if (error == 0) {
        error = utf8_decodestr((u_int8_t *)filename, newlen - 1,

unicode_name, &bytes, bufsize, 0, UTF_DECOMPOSED); if (error == 0) { hint = hfs_pickencoding(unicode_name, bytes / 2); error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0, (int32_t *)&hint); } } --- hfs_vfsops.c----------------------------

Twice checking of 'filename' has no sense. Probably 'unicode_name' should be checked in second condition.

-2.--------------------------------------------------------- Possible Buffer Overflow in resource fork (hfs_vnops.c)

Unverified value returned by snprintf() may be bigger as a declared buffer (MAXPATHLEN).

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html

The snprintf() and vsnprintf() functions will write at most n-1 of the characters printed into the out-put output put string (the n'th character then gets the terminating `\0'); if the return value is greater than or equal to the n argument, the string was too short and some of the printed characters were discarded. The output is always null-terminated.


Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c

--- hfs_vnops.c ---------------------------- ... / * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode that is * found in 'vp'. The rsrc fork vnode is returned with the cnode locked and iocount * on the rsrc vnode. * ... /

int hfs_vgetrsrc(struct hfsmount hfsmp, struct vnode vp, struct vnode **rvpp, int can_drop_lock, int error_on_unlinked) {

...

/ * Supply hfs_getnewvnode with a component name. / cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <================ "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } dvp = vnode_getparent(vp); error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL, <================ descptr, GNV_WANTRSRC | GNV_SKIPLOCK, &cp->c_attr, &rsrcfork, &rvp, &newvnode_flags);

--- hfs_vnops.c ----------------------------

Pattern is '%s%s' where sum of length descptr->cd_nameptr and _PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is

#define _PATH_RSRCFORKSPEC "/..namedfork/rsrc"

where length is 17 chars. Possible up to 17 chars overflow here?.

Now let's see hfs_getnewvnode function

http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c

--- hfs_cnode.c ---------------------------- hfs_getnewvnode( struct hfsmount hfsmp, struct vnode dvp, struct componentname cnp, <======== WATCH THIS struct cat_desc descp, int flags, struct cat_attr attrp, struct cat_fork forkp, struct vnode vpp, int out_flags) { ... if ((vpp != NULL) && (cnp)) { / we could be requesting the rsrc of a hardlink file... / vnode_update_identity (*vpp, dvp, cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME)); ... --- hfs_cnode.c ----------------------------

and call to vnode_update_indentity()

http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c

--- vfs_cache.c ---------------------------- void vnode_update_identity(vnode_t vp, vnode_t dvp, const char name, int name_len, uint32_t name_hashval, int flags) { ... if ( (flags & VNODE_UPDATE_NAME) ) { if (name != vp->v_name) { if (name && name) { if (name_len == 0) name_len = strlen(name); tname = vfs_addname(name, name_len, name_hashval, 0); <== NAMELEN HERE } } else flags &= ~VNODE_UPDATE_NAME; } ... const char * vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags) { return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL

} --- vfs_cache.c ----------------------------

And invalid memory reference in add_name_internal()

--- vfs_cache.c ---------------------------- static const char * add_name_internal(const char name, uint32_t len, u_int hashval, boolean_t need_extra_ref, __unused u_int flags) { struct stringhead head; string_t entry; uint32_t chain_len = 0; uint32_t hash_index; uint32_t lock_index; char ptr;

/*
 * if the length already accounts for the null-byte, then
 * subtract one so later on we don't index past the end
 * of the string. 
 */
if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE
    len--;
}
if (hashval == 0) {
    hashval = hash_string(name, len);
}

--- vfs_cache.c ----------------------------

-3.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not only

Please pay attention that a buffer length check (stored in some variable) should be performed; also return from *alloc() function family should be verified for possible NULL pointers. Here are a few FALSE / POSITIVE examples.

http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c

--- hfs_catalog.c ---------------------------- / * builddesc - build a cnode descriptor from an HFS+ key / static int builddesc(const HFSPlusCatalogKey key, cnid_t cnid, u_int32_t hint, u_int32_t encoding, int isdir, struct cat_desc descp) { int result = 0; unsigned char * nameptr; size_t bufsize; size_t utf8len; unsigned char tmpbuff[128];

/* guess a size... */
bufsize = (3 * key->nodeName.length) + 1;
if (bufsize >= sizeof(tmpbuff) - 1) { <============================
    MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <=

MALLOC FAIL } else { nameptr = &tmpbuff[0]; }

result = utf8_encodestr(key->nodeName.unicode,
        key->nodeName.length * sizeof(UniChar),
        nameptr, (size_t *)&utf8len, <============================

... maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) / SMALL_DIRENTRY_SIZE)); bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(iterator); if (extended) { bufsize += 2sizeof(struct direntry); } MALLOC(buffer, void , bufsize, M_TEMP, M_WAITOK); <============================ bzero(buffer, bufsize); ... FREE(nameptr, M_TEMP); MALLOC(nameptr, unsigned char , bufsize, M_TEMP, M_WAITOK); <==============

result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t )&utf8len, bufsize, ':', 0); } ... cnp = (const CatalogName )&ckp->hfsPlus.nodeName; bufsize = 1 + utf8_encodelen(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), ':', 0); MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <======== result = utf8_encodestr(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), new_nameptr, &tmp_namelen, bufsize, ':', 0);

--- hfs_catalog.c ----------------------------

The above examples does not look nice, too. Are you among them is the crux of the problem applications and kernel crash? I informed Apple of those possible errors, it has passed more than a month and I still have not received any comment nor solution.

--- 1. References --- http://cxsecurity.com/issue/WLB-2014040027 http://cxsecurity.com/cveshow/CVE-2013-6799/ http://cxsecurity.com/cveshow/CVE-2010-0105/

--- 2. Greetz --- Kacper George and Michal

--- 3. Credit --- Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ http://cert.cx/

Best regards, CXSEC TEAM http://cxsec.org/

Show details on source website

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201311-0355",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "apple",
        "version": "10.9"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Maksymilian Arciemowicz",
    "sources": [
      {
        "db": "BID",
        "id": "63612"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      }
    ],
    "trust": 0.4
  },
  "cve": "CVE-2013-6799",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.7,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.4,
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 7.8,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2013-6799",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.7,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.4,
            "id": "VHN-66801",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:L/AC:M/AU:N/C:N/I:N/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2013-6799",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2013-6799",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201311-232",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-66801",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple Mac OS X 10.9 allows local users to cause a denial of service (memory corruption or panic) by creating a hard link to a directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0105. \nExploiting this issue allows local, unprivileged users to crash the affected system, denying further service to legitimate users. MacOSX/XNU HFS Multiple Vulnerabilities\nMaksymilian Arciemowicz\nhttp://cxsecurity.com/\nhttp://cifrex.org/\n\n===================\n\nOn November 8th, I\u0027ve reported vulnerability in hard links for HFS+\n(CVE-2013-6799)\n\nhttp://cxsecurity.com/issue/WLB-2013110059\n\nThe HFS+ file system does not apply strict privilege rules during the\ncreating of hard links. The ability to create hard links to directories is\nwrong implemented and such an issue is affecting os versions greater or\nequal to 10.5. Officially Apple allows you to create hard links only for\nyour time machine. To create N hard links, you must use a\nspecial algorithm which creates links from the top of the file system tree. \nThis means that first we create the directory structure and once created we\nneed to go from up to down by creating hard links. The last time I\u0027ve\nmentioned of the possibility of a kernel crash by performing the \u0027ls\u0027\ncommand. This situation occurs in conjunction with the \u0027find\u0027 application. \n\nCommands such as \u0027ls\u0027 behave in unexpected ways. Apple are going find this\ncrash point in code. To create huge hard links structure, use this code\n\nhttp://cert.cx/stuff/l2.c\n\n-----------------------------------\nh1XSS:tysiak cx$ uname -a\nDarwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16\n19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64\nh1xss:tysiak cx$ gcc -o l2 l2.c\nh1xss:tysiak cx$ ./l2 1000\n... \nh1xss:tysiak cx$ cat loop.sh\n#!/bin/bash\nwhile [ 1 ] ; do\nls -laR B \u003e /dev/null\ndone\n\nh1xss:tysiak cx$ sh ./loop.sh\nls: B: No such file or directory\nls: X1: No such file or directory\n... \nls: X8: Bad address\nls: X1: Bad address\nls: X2: Bad address\n... \nls: X8: No such file or directory\n./loop.sh: line 4:  8816 Segmentation fault: 11  ls -laR B \u003e /dev/null\n./loop.sh: line 4:  8818 Segmentation fault: 11  ls -laR B \u003e /dev/null\nls: B: No such file or directory\nls: X1: No such file or directory\nls: X2: No such file or directory\n... \nls: X1: No such file or directory\nls: X2: No such file or directory\n-----------\n... \n-----------\nFeb  9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for\nls[9418] version 230 to\n/Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash\n-----------\n\nThat what we can see here is unexpected behavior of LS command. LS process\nis also affected for infinite loop (recursion?). \n\n-----------\nh1xss:tysiak cx$ ps -fp 8822\n  UID   PID  PPID   C STIME   TTY           TIME CMD\n  501  8822  8810   0  7:36   ttys002   62:19.65 ls -laR B\n-----------\n\nor used parallely with (find . \u003e /dev/null) command cause a kernel crash\n\n-----------\nMon Mar 31 20:30:41 2014\npanic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838,\ntype 13=general protection, registers:\nCR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c,\nCR4: 0x00000000001606e0\nRAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000,\nRDX: 0x0000000000000000\nRSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018,\nRDI: 0xffffff802f23bcd0\nR8:  0xffffff8140d9bc1c, R9:  0xffffff802f26e960, R10: 0xffffff8140d9ba2c,\nR11: 0x0000000000000f92\nR12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0,\nR15: 0xffffff802f26e960\nRFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS:  0x0000000000000008,\nSS:  0x0000000000000010\nFault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU:\n0x0\n\nBacktrace (CPU 0), Frame : Return Address\n0xffffff811eee8c50 : 0xffffff8004422fa9\n\nBSD process name corresponding to current thread: ls\n-----------\n\nXNU is the computer operating system kernel that Apple Inc. acquired and\ndeveloped for use in the Mac OS X operating system and released as free and\nopen source software as part of the Darwin operating system. We can try to\nsee HFS implementation code. Let\u0027s start static code analysys using\ncifrex.org tool!\n\n-1.---------------------------------------------------------\nUnchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c\n\nCode:\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c\n\n--- hfs_vfsops.c ----------------------------\n/*\n * HFS filesystem related variables. \n */\nint\nhfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t\n*oldlenp,\nuser_addr_t newp, size_t newlen, vfs_context_t context)\n{\n... \n       if ((newlen \u003c= 0) || (newlen \u003e MAXPATHLEN))\n            return (EINVAL);\n\n        bufsize = MAX(newlen * 3, MAXPATHLEN);\n        MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);\n        if (filename == NULL) { \u003c=====================================\nfilename CHECK\n            error = ENOMEM;\n            goto encodinghint_exit;\n        }\n        MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK);\n        if (filename == NULL) { \u003c======================================\ndouble CHECK?\n            error = ENOMEM;\n            goto encodinghint_exit;\n        }\n\n        error = copyin(newp, (caddr_t)filename, newlen);\n        if (error == 0) {\n            error = utf8_decodestr((u_int8_t *)filename, newlen - 1,\nunicode_name,\n                                   \u0026bytes, bufsize, 0, UTF_DECOMPOSED);\n            if (error == 0) {\n                hint = hfs_pickencoding(unicode_name, bytes / 2);\n                error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0,\n(int32_t *)\u0026hint);\n            }\n        }\n--- hfs_vfsops.c----------------------------\n\nTwice checking of \u0027filename\u0027 has no sense. Probably \u0027unicode_name\u0027 should\nbe checked in second condition. \n\n\n-2.---------------------------------------------------------\nPossible Buffer Overflow in resource fork (hfs_vnops.c)\n\nUnverified value returned by snprintf() may be bigger as a declared buffer\n(MAXPATHLEN). \n\n\nhttps://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html\n---\nThe snprintf() and vsnprintf() functions will write at most n-1 of the\ncharacters printed into the out-put output\n     put string (the n\u0027th character then gets the terminating `\\0\u0027); if the\nreturn value is greater than or\n     equal to the n argument, the string was too short and some of the\nprinted characters were discarded. \n     The output is always null-terminated. \n---\n\n\nCode:\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c\n\n--- hfs_vnops.c ----------------------------\n... \n/*\n * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode\nthat is\n * found in \u0027vp\u0027.  The rsrc fork vnode is returned with the cnode locked\nand iocount\n * on the rsrc vnode. \n *\n ... \n */\n\nint\nhfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp,\nint can_drop_lock, int error_on_unlinked)\n{\n\n... \n\n/*\n * Supply hfs_getnewvnode with a component name. \n */\ncn.cn_pnbuf = NULL;\nif (descptr-\u003ecd_nameptr) {\n            MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI,\nM_WAITOK);\n            cn.cn_nameiop = LOOKUP;\n            cn.cn_flags = ISLASTCN | HASBUF;\n            cn.cn_context = NULL;\n            cn.cn_pnlen = MAXPATHLEN;\n            cn.cn_nameptr = cn.cn_pnbuf;\n            cn.cn_hash = 0;\n            cn.cn_consume = 0;\n            cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN,\n\u003c================\n                         \"%s%s\", descptr-\u003ecd_nameptr,\n                         _PATH_RSRCFORKSPEC);\n        }\n        dvp = vnode_getparent(vp);\n        error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? \u0026cn : NULL,\n\u003c================\n                                descptr, GNV_WANTRSRC | GNV_SKIPLOCK,\n\u0026cp-\u003ec_attr,\n                                \u0026rsrcfork, \u0026rvp, \u0026newvnode_flags);\n\n--- hfs_vnops.c ----------------------------\n\nPattern is \u0027%s%s\u0027 where sum of length descptr-\u003ecd_nameptr and\n_PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). \nSize of descptr-\u003ecd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is\n\n  #define _PATH_RSRCFORKSPEC     \"/..namedfork/rsrc\"\n\nwhere length is 17 chars. Possible up to 17 chars overflow here?. \n\nNow let\u0027s see hfs_getnewvnode function\n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c\n\n--- hfs_cnode.c ----------------------------\nhfs_getnewvnode(\n    struct hfsmount *hfsmp,\n    struct vnode *dvp,\n    struct componentname *cnp, \u003c======== WATCH THIS\n    struct cat_desc *descp,\n    int flags,\n    struct cat_attr *attrp,\n    struct cat_fork *forkp,\n    struct vnode **vpp,\n    int *out_flags)\n{\n... \n                if ((*vpp != NULL) \u0026\u0026 (cnp)) {\n                    /* we could be requesting the rsrc of a hardlink\nfile... */\n                    vnode_update_identity (*vpp, dvp, cnp-\u003ecn_nameptr,\ncnp-\u003ecn_namelen, cnp-\u003ecn_hash, \u003c== NAMELEN HERE\n                            (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME));\n... \n--- hfs_cnode.c ----------------------------\n\nand call to vnode_update_indentity()\n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c\n\n\n--- vfs_cache.c ----------------------------\nvoid\nvnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int\nname_len, uint32_t name_hashval, int flags)\n{\n... \n    if ( (flags \u0026 VNODE_UPDATE_NAME) ) {\n        if (name != vp-\u003ev_name) {\n            if (name \u0026\u0026 *name) {\n                if (name_len == 0)\n                    name_len = strlen(name);\n                tname = vfs_addname(name, name_len, name_hashval, 0); \u003c==\nNAMELEN HERE\n            }\n        } else\n            flags \u0026= ~VNODE_UPDATE_NAME;\n    }\n... \nconst char *\nvfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags)\n{\n    return (add_name_internal(name, len, hashval, FALSE, flags));  \u003c== CALL\n\n}\n--- vfs_cache.c ----------------------------\n\nAnd invalid memory reference in add_name_internal()\n\n--- vfs_cache.c ----------------------------\nstatic const char *\nadd_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t\nneed_extra_ref, __unused u_int flags)\n{\n    struct stringhead *head;\n    string_t          *entry;\n    uint32_t          chain_len = 0;\n    uint32_t      hash_index;\n        uint32_t      lock_index;\n    char              *ptr;\n\n    /*\n     * if the length already accounts for the null-byte, then\n     * subtract one so later on we don\u0027t index past the end\n     * of the string. \n     */\n    if (len \u003e 0 \u0026\u0026 name[len-1] == \u0027\\0\u0027) { \u003c===== INVALID MEMORY REFERENCE\n        len--;\n    }\n    if (hashval == 0) {\n        hashval = hash_string(name, len);\n    }\n--- vfs_cache.c ----------------------------\n\n\n-3.---------------------------------------------------------\nUnchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not\nonly\n\nPlease pay attention that a buffer length check (stored in some variable)\nshould be performed; also return from *alloc() function family should be\nverified for possible NULL pointers. \nHere are a few FALSE / POSITIVE examples. \n\nhttp://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c\n\n--- hfs_catalog.c ----------------------------\n /*\n * builddesc - build a cnode descriptor from an HFS+ key\n */\nstatic int\nbuilddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint,\nu_int32_t encoding,\n    int isdir, struct cat_desc *descp)\n{\n    int result = 0;\n    unsigned char * nameptr;\n    size_t bufsize;\n    size_t utf8len;\n    unsigned char tmpbuff[128];\n\n    /* guess a size... */\n    bufsize = (3 * key-\u003enodeName.length) + 1;\n    if (bufsize \u003e= sizeof(tmpbuff) - 1) { \u003c============================\n        MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); \u003c=\nMALLOC FAIL\n    } else {\n        nameptr = \u0026tmpbuff[0];\n    }\n\n    result = utf8_encodestr(key-\u003enodeName.unicode,\n            key-\u003enodeName.length * sizeof(UniChar),\n            nameptr, (size_t *)\u0026utf8len, \u003c============================\n\n... \n    maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) /\nSMALL_DIRENTRY_SIZE));\nbufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator);\nif (extended) {\nbufsize += 2*sizeof(struct direntry);\n}\nMALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK);\n\u003c============================\nbzero(buffer, bufsize);\n... \nFREE(nameptr, M_TEMP);\nMALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); \u003c==============\n\nresult = utf8_encodestr(key-\u003enodeName.unicode,\n                        key-\u003enodeName.length * sizeof(UniChar),\n                        nameptr, (size_t *)\u0026utf8len,\n                        bufsize, \u0027:\u0027, 0);\n}\n ... \ncnp = (const CatalogName *)\u0026ckp-\u003ehfsPlus.nodeName;\nbufsize = 1 + utf8_encodelen(cnp-\u003eustr.unicode,\n                             cnp-\u003eustr.length * sizeof(UniChar),\n                             \u0027:\u0027, 0);\nMALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); \u003c========\nresult = utf8_encodestr(cnp-\u003eustr.unicode,\n                        cnp-\u003eustr.length * sizeof(UniChar),\n                        new_nameptr, \u0026tmp_namelen, bufsize, \u0027:\u0027, 0);\n\n--- hfs_catalog.c ----------------------------\n\nThe above examples does not look nice, too. Are you among them is the crux\nof the problem applications and kernel crash?\nI informed Apple of those possible errors, it has passed more than a month\nand I still have not received any comment nor solution. \n\n\n--- 1. References ---\nhttp://cxsecurity.com/issue/WLB-2014040027\nhttp://cxsecurity.com/cveshow/CVE-2013-6799/\nhttp://cxsecurity.com/cveshow/CVE-2010-0105/\n\n\n--- 2. Greetz ---\nKacper George and Michal\n\n\n--- 3. Credit ---\nMaksymilian Arciemowicz\nhttp://cxsecurity.com/\nhttp://cifrex.org/\nhttp://cert.cx/\n\nBest regards,\nCXSEC TEAM\nhttp://cxsec.org/\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "BID",
        "id": "63612"
      },
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-66801",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2013-6799",
        "trust": 2.9
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2013110059",
        "trust": 2.6
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232",
        "trust": 0.7
      },
      {
        "db": "BUGTRAQ",
        "id": "20131108 RE: APPLE MACOSX 10.9 HARD LINK MEMORY CORRUPTION",
        "trust": 0.6
      },
      {
        "db": "BUGTRAQ",
        "id": "20131107 APPLE MACOSX 10.9 HARD LINK MEMORY CORRUPTION",
        "trust": 0.6
      },
      {
        "db": "BID",
        "id": "63612",
        "trust": 0.4
      },
      {
        "db": "EXPLOIT-DB",
        "id": "32754",
        "trust": 0.1
      },
      {
        "db": "SEEBUG",
        "id": "SSVID-86028",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-66801",
        "trust": 0.1
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2014040027",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "126039",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "db": "BID",
        "id": "63612"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "id": "VAR-201311-0355",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T11:11:13.482000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "OS X",
        "trust": 0.8,
        "url": "https://www.apple.com/jp/osx/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-119",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.6,
        "url": "http://cxsecurity.com/issue/wlb-2013110059"
      },
      {
        "trust": 1.7,
        "url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0033.html"
      },
      {
        "trust": 1.7,
        "url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0051.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6799"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6799"
      },
      {
        "trust": 0.3,
        "url": "http://www.apple.com/macosx/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2010-0105"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c"
      },
      {
        "trust": 0.1,
        "url": "http://cifrex.org/"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c"
      },
      {
        "trust": 0.1,
        "url": "http://cert.cx/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-6799"
      },
      {
        "trust": 0.1,
        "url": "http://cert.cx/stuff/l2.c"
      },
      {
        "trust": 0.1,
        "url": "http://cxsec.org/"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/cveshow/cve-2010-0105/"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c"
      },
      {
        "trust": 0.1,
        "url": "http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/cveshow/cve-2013-6799/"
      },
      {
        "trust": 0.1,
        "url": "http://cxsecurity.com/issue/wlb-2014040027"
      },
      {
        "trust": 0.1,
        "url": "https://developer.apple.com/library/mac/documentation/darwin/reference/manpages/man3/snprintf.3.html"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "db": "BID",
        "id": "63612"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "db": "BID",
        "id": "63612"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2013-11-18T00:00:00",
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "date": "2013-11-08T00:00:00",
        "db": "BID",
        "id": "63612"
      },
      {
        "date": "2013-11-19T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "date": "2014-04-06T16:22:11",
        "db": "PACKETSTORM",
        "id": "126039"
      },
      {
        "date": "2013-11-18T02:55:09.983000",
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "date": "2013-11-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2013-11-20T00:00:00",
        "db": "VULHUB",
        "id": "VHN-66801"
      },
      {
        "date": "2013-11-19T00:26:00",
        "db": "BID",
        "id": "63612"
      },
      {
        "date": "2013-11-19T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      },
      {
        "date": "2013-11-20T00:17:15.807000",
        "db": "NVD",
        "id": "CVE-2013-6799"
      },
      {
        "date": "2013-11-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "63612"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apple Mac OS X Service disruption in  (DoS) Vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-005129"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "buffer overflow",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201311-232"
      }
    ],
    "trust": 0.6
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…