Mac OS X Kernel Integer Overflows in i386_set_ldt() and i386_get_ldt() Let Local Users Gain System Privileges
SecurityTracker Alert ID: 1021403|
SecurityTracker URL: http://securitytracker.com/id/1021403
(Links to External Site)
Date: Dec 15 2008
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 10.5 - 10.5.5|
A vulnerability was reported in the Mac OS X kernel. A local user can obtain system privileges on the target system.|
A local user can invoke the i386_set_ldt() and i386_get_ldt() system calls to trigger an integer overflow and execute arbitrary commands on the target system with system privileges.
PowerPC systems are not affected.
Richard Vaneeden of IOActive, Inc. reported this vulnerability.
A local user can obtain system privileges on the target system.|
Apple has issued a fix as part of Security Update 2008-008 and Mac OS X v10.5.6, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:|
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2008-008 or Mac OS X v10.5.6.
For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded
For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4
For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac
For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7
For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea
For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906
For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371
For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c
The vendor's advisory is available at:
Vendor URL: support.apple.com/kb/HT3338 (Links to External Site)
Source Message Contents
Date: Mon, 15 Dec 2008 14:04:29 -0500|
Subject: Mac OS X
APPLE-SA-2008-12-15 Security Update 2008-008 / Mac OS X v10.5.6
Available for: Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact: A local user may obtain system privileges
Description: Integer overflow issues exist within the i386_set_ldt
and i386_get_ldt system calls, which may allow a local user to
execute arbitrary code with system privileges. This update addresses
the issues through improved bounds checking. These issues do not
affect PowerPC systems. Credit to Richard Vaneeden of IOActive, Inc.
for reporting these issues.