SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X WebDAV Memory Allocation Error Lets Local Users Deny Service
SecurityTracker Alert ID:  1024250
SecurityTracker URL:  http://securitytracker.com/id/1024250
CVE Reference:   CVE-2010-1794   (Links to External Site)
Date:  Jul 27 2010
Impact:   Denial of service via local system
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Mac OS X. A local user can cause denial of service conditions.

A local user can invoke the WebDAV kernel extension and trigger a memory allocation error in the webdav_mount() function to cause a kernel panic.

The vendor has been notified.

Dan Rosenberg reported this vulnerability.

Impact:   A local user can cause a kernel panic on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 26 Jul 2010 09:11:30 -0400
Subject:  Mac OS X WebDAV kernel extension local denial-of-service

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=A0Mac OS X WebDAV kernel extension local denial-of-service
=A0July 26, 2010
=A0CVE-2010-1794
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3DDescription=3D=3D

"Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers." [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension.=A0 Local users can mount WebDAV shares using the
"mount_webdav" utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation.=A0 This vulnerability has been verified with
proof-of-concept code.=A0 The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

"args" is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
"pa_socket_namelen" field.=A0 If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

=3D=3DNotes on Disclosure=3D=3D

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple's management of security issues.
 Local denial-of-service issues are by nature low impact - many
security teams do not regard these as security-relevant at all.=A0 I
believe the chances of exploitation of this in real life are
practically non-existent.=A0 Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations.=A0 Apple's security team was
contacted prior to disclosure, and I'm sure they'll incorporate a fix
in a future release.

=3D=3DSolution=3D=3D

The WebDAV kernel extension can be obtained online [2].=A0 The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

--- webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
=A0=A0=A0=A0 }

=A0=A0=A0=A0 /* Get the server sockaddr from the args */
+=A0=A0=A0 if(args.pa_socket_namelen > NAME_MAX)
+=A0=A0=A0 {
+=A0=A0=A0 =A0=A0=A0 error =3D EINVAL;
+=A0=A0=A0 =A0=A0=A0 goto bad;
+=A0=A0=A0 }
+
=A0=A0=A0=A0 MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
=A0=A0=A0=A0 error =3D copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
=A0=A0=A0=A0 if (error)


=3D=3DCredits=3D=3D

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg@gmail.c=
om).

=3D=3DReferences=3D=3D

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kext=
proj/webdav_fs.kmodproj/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC