[VIM] BID:20031 Apple Mac OS X KExtLoad Format String Weakness [CVE-2004-1398]

Heinbockel, Bill heinbockel at mitre.org
Mon Sep 18 13:39:36 EDT 2006


In the Netragard Full-Disclosure post:
FULLDISC:20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE
COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7
HELPER APP - LOCAL ROOT COMROMISE]
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/04945
2.html
http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt

===================================================================

1-) kextload format string vulnerability.

Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the
vulnerability.  The code which enables this format string
vulnerability can be found in "prelink.c" and reads as

fprintf(stderr, kext_path);

...

4-) Example of kextload format string vulnerability affecting
~    TDIXSupport

netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\
78682062756e646c65/TDIXController.kext: no such bundle file exists
can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\
cess/permissions) (run kextload on this kext with -t for diagnostic o\
utput)

===================================================================

appears to actually be a duplicate report of CVE-2004-1398:

CVE-2004-1398
Format string vulnerability in TDIXSupport in Roxio Toast on Mac OS X
may allow local users to execute arbitrary code via certain inputs that
contain format strings.
BUGTRAQ:20041214 Possible local root vulnerability in Roxio Toast on
Mac OS X
http://marc.theaimsgroup.com/?l=bugtraq&m=110305083706943&w=2
BID:11926
http://www.securityfocus.com/bid/11926
XF:roxio-toast-tdixsupport-format-string(18472)
http://xforce.iss.net/xforce/xfdb/18472


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list