Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple HFS+ Information Disclosure Vulnerability Release Date: 2011-03-22 Application: Apple OS X kernel (XNU) Versions: All versions <= xnu-1504.7.4 Severity: Medium Author: Dan Rosenberg
Vendor Status: Patch Released  CVE Candidate: CVE-2011-0180 Reference: http://www.vsecurity.com/resources/advisory/20110322-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From : "Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid, UNIX-based foundation that is engineered for stability, reliability, and performance. The kernel environment is built on top of Mach 3.0 and provides high-performance networking facilities and support for multiple, integrated file systems." Vulnerability Overview ---------------------- On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure. Vulnerability Details --------------------- Users may interact with the filesystem using the standard ioctl interface. HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to read raw data from an HFS+ filesystem. The ioctl intends to ensure that this data is restricted to the first 1024 bytes, where bootstrap information is stored. However, due to an integer overflow in the code that attempts to enforce this restriction, it is possible for an unprivileged user to use this ioctl to read large portions of filesystem data outside of this byte range, leading to an information disclosure vulnerability. The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c: if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024) return EINVAL; If a user provides values for the fbt_offset and fbt_length members such that their sum overflows and wraps around to an integer less than 1024, portions of filesystem data outside the intended range will be read and returned to the user. Proof-of-Concept Exploit ------------------------ VSR has developed a proof-of-concept exploit  to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the integer overflow to read arbitrary amounts of filesystem data at a negative offset from the end of the filesystem. Versions Affected ----------------- Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but review of older source code suggests that all versions of OS X may be affected. Vendor Response --------------- The following timeline details Apple's response to the reported issue: 2010-07-01 Apple was provided a draft advisory 2010-07-02 Apple acknowledges receipt of advisory 2010-07-22 Request for confirmation of issue 2010-07-25 Apple confirms issue under investigation 2010-09-02 Request for status update 2010-09-02 Apple confirms fix is being tested 2010-10-13 Request for status update 2010-10-14 Apple confirms fix is planned for undetermined date 2010-11-16 Request for status update 2010-11-16 Apple confirms ship date is set for early 2011 2011-01-18 Request for status update 2011-01-18 Apple confirms ship date for early April 2011-03-21 Apple publishes fix Apple's advisory may be obtained at: http://support.apple.com/kb/HT4581 Recommendation -------------- Apply the fix provided by Apple's OS X security update . Common Vulnerabilities and Exposures (CVE) Information ------------------------------------------------------ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2011-0180 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Darwin and Core Technologies http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html 2. Apple Security Update 2011-001 http://support.apple.com/kb/HT4581 3. HFS+ F_READBOOTSTRAP information disclosure exploit http://www.vsecurity.com/download/tools/hfs-dump.c -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/disclosurepolicy.html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Copyright 2011 Virtual Security Research, LLC. All rights reserved.
Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.