'Apple libc incomplete fix of Security Update for OS X El Capitan 10.11.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Apple libc incomplete fix of Security Update for OS X El Capitan 10.11.2
From:       submit () cxsec ! org
Date:       2016-08-26 11:32:17
Message-ID: 201608261132.u7QBWH1G032503 () sf01web3 ! securityfocus ! com
[Download RAW message or body]

--------------------------------------------------------------------------------
Apple libc incomplete fix of Security Update for OS X El Capitan 10.11.2
Credit: Maksymilian Arciemowicz from CXSECURITY.COM
URL: https://cxsecurity.com/issue/WLB-2016080232
--------------------------------------------------------------------------------

Apple tried to fix security issue in file system (FTS) libc implementation but \
doesn't patch it completely. Let's back to the security advisory

https://support.apple.com/en-us/HT205637
----------------------------------------
libc
Available for: OS X El Capitan v10.11 and v10.11.1
Impact: Processing a maliciously crafted package may lead to arbitrary code execution
Description: Multiple buffer overflows existed in the C standard library. These \
issues were addressed through improved bounds checking. CVE-ID
CVE-2015-7038
CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)
----------------------------------------

it's only one part of reported weaknesses what should be fix by Apple. They fixed \
multiple buffer overflow but not all out of memory read. Improper security \
implementation of file system may lead to a few kinds of attacks



--------------------------------------------------------------------------------
1. AV Tools and file system deep directory
The first weakness what Apple should repair is ability of hiding malicious code in \
external/internal media drive or DMG package. Many AV tools will skip files located \
in directory deeper then 1024 levels, so it could be used to hide malware by attacker \
during classic AV scanning. I contacted with one of vendors and they indicate Apple \
as responsible for repair this bug. To show this issue in practice, you can compare \
the two DMG files. One is with content of exploits from metasploit in directory \
located in 1024 level of directory tree

DMG mounted and threats detected by AVG, ESET, Norton AV during folder scanning mode
https://cxsecurity.com/exploits/mac10116expl/10116metaExploits.dmg

The same content but in deep file hierarchy 1024 directories. Classic directory \
scanning by AV tool couldn't detect the threats.  \
https://cxsecurity.com/exploits/mac10116expl/10116hideContents.dmg



--------------------------------------------------------------------------------
2. Out of memory reading in libc
The next issue recognised in the latest MacOSX is out-of-bounds read. Apple tried fix \
all buffer overflows but it looks like that's not all. In Apple code there is still a \
few weak points of memory management. For example 'ls' and 'find' command and Apple's \
libc. To easier explain this weakness (CWE-125) let's use this special crafted DMG \
with deep file system.

$ wget https://cxsecurity.com/exploits/mac10116expl/10116outofread.dmg
..
$ hdiutil attach 10116outofread.dmg 
..
$ valgrind ls -laR /Volumes/PoC1_CXSECURITY >>/dev/null
..
==5687== Invalid read of size 1
==5687==    at 0x1000116BF: strlen (in \
/usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \
==5687==    by 0x100323A4B: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x10034C6C0: __v2printf (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x100322381: vfprintf_l (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x10032021B: printf (in /usr/lib/system/libsystem_c.dylib) ==5687==    \
by 0x100001C4E: ??? (in /bin/ls) ==5687==    by 0x100001A6F: ??? (in /bin/ls)
==5687==    by 0x1002825AC: start (in /usr/lib/system/libdyld.dylib)
==5687==    by 0x2: ???
==5687==    by 0x104809B02: ???
==5687==    by 0x104809B05: ???
==5687==    by 0x104809B0A: ???
==5687==  Address 0x100b977f0 is 0 bytes inside a block of size 1,537 free'd
==5687==    at 0x100010920: realloc (in \
/usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \
==5687==    by 0x1002E1B06: fts_build (in /usr/lib/system/libsystem_c.dylib) ==5687== \
by 0x1002E2106: fts_children$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==5687==  \
by 0x100001CB0: ??? (in /bin/ls) ==5687==    by 0x100001A6F: ??? (in /bin/ls)
==5687==    by 0x1002825AC: start (in /usr/lib/system/libdyld.dylib)
==5687==    by 0x2: ???
==5687==    by 0x104809B02: ???
==5687==    by 0x104809B05: ???
==5687==    by 0x104809B0A: ???
==5687==  Block was alloc'd at
==5687==    at 0x100010920: realloc (in \
/usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \
==5687==    by 0x1002E1B06: fts_build (in /usr/lib/system/libsystem_c.dylib) ==5687== \
by 0x1002E2106: fts_children$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==5687==  \
by 0x100001CB0: ??? (in /bin/ls) ==5687==    by 0x100001A6F: ??? (in /bin/ls)
==5687==    by 0x1002825AC: start (in /usr/lib/system/libdyld.dylib)
==5687==    by 0x2: ???
==5687==    by 0x104809B02: ???
==5687==    by 0x104809B05: ???
==5687==    by 0x104809B0A: ???
==5687== 
..
==5687== Invalid read of size 1
==5687==    at 0x1000126C1: _platform_memmove$VARIANT$Ivybridge (in \
/usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \
==5687==    by 0x10031BEFC: __sfvwrite (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x100326652: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x10034C6C0: __v2printf (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x100322381: vfprintf_l (in /usr/lib/system/libsystem_c.dylib) \
==5687==    by 0x10032021B: printf (in /usr/lib/system/libsystem_c.dylib) ==5687==    \
by 0x100001C4E: ??? (in /bin/ls) ==5687==    by 0x100001A6F: ??? (in /bin/ls)
==5687==    by 0x1002825AC: start (in /usr/lib/system/libdyld.dylib)
==5687==    by 0x2: ???


--------------------------------------------------------------------------------
References:
https://cxsecurity.com/issue/WLB-2015120089
https://cxsecurity.com/exploits/mac10116expl/10116metaExploits.dmg
https://cxsecurity.com/exploits/mac10116expl/10116hideContents.dmg
https://cxsecurity.com/exploits/mac10116expl/10116outofread.dmg
https://support.apple.com/en-us/HT205637
https://support.apple.com/en-us/HT205635
https://support.apple.com/en-us/HT205641
https://support.apple.com/en-us/HT205640
https://cxsecurity.com/issue/WLB-2015100149
https://cxsecurity.com/
https://cert.cx/

--------------------------------------------------------------------------------
Best Regards,
Maksymilian Arciemowicz ( https://cert.cx/ )
https://cxsecurity.com - Independent Information


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic