Root exploit for Mac OS X
Several exploits for Apple's Mac OS X operating system are in circulation which have not yet been patched. In a short test carried out by the heise Security editorial team, one of the exploits allowed a Mac OS X 10.5.6 user with normal privileges to obtain root privileges. The problem is triggered when mounting malformed HFS disk images. The exploit consists of a shell script and some source code written in C. The C code generates the disk image which, when mounted, provokes the flaw that allows execution of code at root level.
The other exploits target vulnerabilities in kernel system calls (CTL_VFS
, SYS___mac_getfsstat
and SYS_add_profil
) which allow logged-in users to crash a system. Parts of the kernel memory may also be vulnerable to spying. Another exploit for a hole in AppleTalk reportedly allows attackers to remotely provoke a buffer overflow. However, this vulnerability doesn't seem to allow code injection.
It remains unknown whether Apple has been informed of these problems. On his digit-labs.org website, the author of the exploits writes that he already publicly demonstrated the exploits at the recent CanSecWest 2009 security conference. Until Apple has released an update to solve the problems, users are advised not to mount disk images originating from unknown sources.
See also:
- Recent Additions, Overview of the exploit for Mac OS X.
- Pwn2Own 2009: Safari, IE 8 and Firefox exploited, a report from The H.
(crve)