[VIM] BID:20031 Apple Mac OS X KExtLoad Format String Weakness [CVE-2004-1398]

Matthew Murphy mattmurphy at kc.rr.com
Mon Sep 18 14:00:08 EDT 2006


I don't see how this is really a vulnerability, or even a security issue.

1) KExtLoad is not setuid root -- successful exploitation of this
issue results in the ability to execute arbitrary code as the user
calling KExtLoad.

2) In order to exploit this against a root process, the attacker needs
to be able to directly specify a path to a kernel extension -- which
is probably game over anyway.

It seems like the problem here is that we have a setuid binary which
is loading kernel extensions based on paths specified in user input.
Once you can talk an application into loading a kernel module for you,
the system is pretty well hosed.

Is there something I'm missing?

On 9/18/06, Heinbockel, Bill <heinbockel at mitre.org> wrote:
> In the Netragard Full-Disclosure post:
> FULLDISC:20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE
> COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7
> HELPER APP - LOCAL ROOT COMROMISE]
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/04945
> 2.html
> http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt
>
> ===================================================================
>
> 1-) kextload format string vulnerability.
>
> Executing "sudo kextload %x.%x.%x.%x.%x.%x" demonstrates the
> vulnerability.  The code which enables this format string
> vulnerability can be found in "prelink.c" and reads as
>
> fprintf(stderr, kext_path);
>
> ...
>
> 4-) Example of kextload format string vulnerability affecting
> ~    TDIXSupport
>
> netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
> kextload: /Library/Application Support/Roxio/90b4b6ca1c69737473652065\
> 78682062756e646c65/TDIXController.kext: no such bundle file exists
> can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file ac\
> cess/permissions) (run kextload on this kext with -t for diagnostic o\
> utput)
>
> ===================================================================
>
> appears to actually be a duplicate report of CVE-2004-1398:
>
> CVE-2004-1398
> Format string vulnerability in TDIXSupport in Roxio Toast on Mac OS X
> may allow local users to execute arbitrary code via certain inputs that
> contain format strings.
> BUGTRAQ:20041214 Possible local root vulnerability in Roxio Toast on
> Mac OS X
> http://marc.theaimsgroup.com/?l=bugtraq&m=110305083706943&w=2
> BID:11926
> http://www.securityfocus.com/bid/11926
> XF:roxio-toast-tdixsupport-format-string(18472)
> http://xforce.iss.net/xforce/xfdb/18472
>
>
> William Heinbockel
> Infosec Engineer
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> heinbockel at mitre.org
> 781-271-2615
>


More information about the VIM mailing list