The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
===================================================================
Mac OS X WebDAV kernel extension local denial-of-service
July 26, 2010
CVE-2010-1794
===================================================================
==Description==
"Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers." [1]
Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
"mount_webdav" utility included in most default installations.
The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:
MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);
"args" is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
"pa_socket_namelen" field. If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.
==Notes on Disclosure==
My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple's management of security issues.
Local denial-of-service issues are by nature low impact - many
security teams do not regard these as security-relevant at all. I
believe the chances of exploitation of this in real life are
practically non-existent. Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations. Apple's security team was
contacted prior to disclosure, and I'm sure they'll incorporate a fix
in a future release.
==Solution==
The WebDAV kernel extension can be obtained online [2]. The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:
--- webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
}
/* Get the server sockaddr from the args */
+ if(args.pa_socket_namelen > NAME_MAX)
+ {
+ error = EINVAL;
+ goto bad;
+ }
+
MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
if (error)
==Credits==
This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg (at) gmail (dot) com [email concealed]).
==References==
CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.
[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextp
roj/webdav_fs.kmodproj/