Advertisement






Mac OS X WebDAV kernel extension local denial-of-service

CVE Category Price Severity
CVE-2010-1794 CWE-264 N/A High
Author Risk Exploitation Type Date
Unknown High Local 2010-08-10
CPE
cpe:cpe:/o:apple:mac_os_x
CVSS EPSS EPSSP
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010080105

Below is a copy:

===================================================================
Mac OS X WebDAV kernel extension local denial-of-service
July 26, 2010
CVE-2010-1794
===================================================================

==Description==

"Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers." [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
"mount_webdav" utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

"args" is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
"pa_socket_namelen" field. If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

==Notes on Disclosure==

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple's management of security issues.
 Local denial-of-service issues are by nature low impact - many
security teams do not regard these as security-relevant at all. I
believe the chances of exploitation of this in real life are
practically non-existent. Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations. Apple's security team was
contacted prior to disclosure, and I'm sure they'll incorporate a fix
in a future release.

==Solution==

The WebDAV kernel extension can be obtained online [2]. The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

--- webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
 }

 /* Get the server sockaddr from the args */
+ if(args.pa_socket_namelen > NAME_MAX)
+ {
+  error = EINVAL;
+  goto bad;
+ }
+
 MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
 error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
 if (error)

==Credits==

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg (at) gmail (dot) com [email concealed]).

==References==

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextp
roj/webdav_fs.kmodproj/



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.