Technical Advisory – Apple HFS+ Information Disclosure Vulnerability

 Virtual Security Research, LLC.
                     Security Advisory


Advisory Name: Apple HFS+ Information Disclosure Vulnerability
 Release Date: 2011-03-22
  Application: Apple OS X kernel (XNU)
     Versions: All versions <= xnu-1504.7.4
     Severity: Medium
       Author: Dan Rosenberg  
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-0180


Product Description
From [1]:

 "Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid,
  UNIX-based foundation that is engineered for stability, reliability, and
  performance.  The kernel environment is built on top of Mach 3.0 and provides
  high-performance networking facilities and support for multiple, integrated
  file systems."

Vulnerability Overview

On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented
in the OS X XNU kernel.  HFS+ is the default filesystem in use on many
installations of the Mac OS X operating system.  By exploiting this
vulnerability, an unprivileged user with local access to a machine using HFS+
may be able to read raw filesystem data, bypassing file permissions and
resulting in information disclosure.

Vulnerability Details

Users may interact with the filesystem using the standard ioctl interface.
HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to
read raw data from an HFS+ filesystem.  The ioctl intends to ensure that this
data is restricted to the first 1024 bytes, where bootstrap information is
stored.  However, due to an integer overflow in the code that attempts to
enforce this restriction, it is possible for an unprivileged user to use this
ioctl to read large portions of filesystem data outside of this byte range,
leading to an information disclosure vulnerability.

The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:

if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
	return EINVAL;

If a user provides values for the fbt_offset and fbt_length members such that
their sum overflows and wraps around to an integer less than 1024, portions of
filesystem data outside the intended range will be read and returned to the

Proof-of-Concept Exploit

VSR has developed a proof-of-concept exploit [3] to both demonstrate the
severity of this issue as well as allow users and administrators to verify the
existence of the vulnerability. The exploit leverages the integer overflow
to read arbitrary amounts of filesystem data at a negative offset from the end
of the filesystem.

Versions Affected
Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but
review of older source code suggests that all versions of OS X may be affected.

Vendor Response
The following timeline details Apple's response to the reported issue:

2010-07-01    Apple was provided a draft advisory
2010-07-02    Apple acknowledges receipt of advisory
2010-07-22    Request for confirmation of issue
2010-07-25    Apple confirms issue under investigation
2010-09-02    Request for status update
2010-09-02    Apple confirms fix is being tested
2010-10-13    Request for status update
2010-10-14    Apple confirms fix is planned for undetermined date
2010-11-16    Request for status update
2010-11-16    Apple confirms ship date is set for early 2011
2011-01-18    Request for status update
2011-01-18    Apple confirms ship date for early April
2011-03-21    Apple publishes fix

Apple's advisory may be obtained at:

Apply the fix provided by Apple's OS X security update [2].

Common Vulnerabilities and Exposures (CVE) Information
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2011-0180 to this issue.  This is a candidate for
inclusion in the CVE list (, which standardizes
names for security problems.



1. Darwin and Core Technologies 

2. Apple Security Update 2011-001

3. HFS+ F_READBOOTSTRAP information disclosure exploit


This advisory is distributed for educational purposes only with the sincere 
hope that it will help promote public safety.  This advisory comes with 
absolutely NO WARRANTY; not even the implied warranty of merchantability or 
fitness for a particular purpose.  Virtual Security Research, LLC nor the author 
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure

     Copyright 2011 Virtual Security Research, LLC.  All rights reserved.

To view the advisory as a txt. click here.

Editor's note: This work was originally published by VSR on their website at VSR is now a part of NCC Group, so we have migrated this content to The advisory text as above has been copy-pasted to this blog for historical reference.

Call us before you need us.

Our experts will help you.

Get in touch