Is The New OS X DMG Threat Real?

Thomas Ptacek | November 22nd, 2006 | Filed Under: Apple, New Findings, Uncategorized

Hey, Matasano, Alastair Houghton and John Gruber are downplaying the DMG vulnerability!

Yes, of course they are. Don’t let it piss you off; they’re not talking to you.

They’re not?

No, they’re talking to their base; this is advocacy, not analysis. You’re a security professional. You’re already using a Mac. Just ignore them.

But Alastair says the DMG problem been known for ages.

I believe him. These problems are bound to happen. Disk Images are a terrible idea.

They are? Why is that?

Attackers can’t normally talk to your kernel filesystem code. On Unix, they normally talk through the POSIX open/close/read/write system calls.

So?

So that POSIX API is really simple. It’s easy to test.

Filesystem code isn’t?

No. No it isn’t. Filesystem code is some of the hairiest in the operating system. Parsing, external trees and tables, concurrency, timers, asynchrony, caching, object lifetimes. Basically every secure programming obstacle there is. And to top that off, most filesystem code hasn’t been audited.

It hasn’t? Why not?

Because developers assume that attackers can’t touch the filesystem code directly, because attackers aren’t disks.

So Apple needs to audit the DMG filesystem code.

It’s not that simple. DMG is a metaformat. Apple needs to audit the code for every filesystem that DMG’s support.

You don’t think they’ve done that?

Candidly, I’m not sure any operating system has audited all it’s filesystem code.

So Windows has this problem too.

Sort of. Like we said a few weeks ago, you can attack the Windows FAT32 and NTFS code with malicious USB disks, which are trivial to create.

So… Windows has this problem too.

Not really.

Huh? Why not?

Because you’re 2000 miles away and I can’t stick a USB drive into your computer.

Well, Alastair says Windows is going to support downloadable disk images soon.

That would be dumb of them. What problem do metaformat disk images solve? What problem do downloadable images of feature-rich filesystem like NTFS solve? I buy that the Mac has metadata problems it needs to solve to let you just drag folders into Applications —- though DMGs weren’t the right solution for that problem —- but why would any other OS want to repeat that mistake?

For the time being, remote filesystem vulnerabilities are “Designed by Apple in California.”

But Alastair says Unix has this problem too.

Unix won’t even let non-root users call chroot so they can pretend to have their own filesystems. But if you’re root, you can make Unix do just about anything.

Alastair says this is all exaggerated anyways. It’s just a crash, not an exploit.

You know what? He might be right. I read the MOKB advisory pretty closely. The advisory says it allows remote code execution. But I don’t see it. I see a bad, unaligned VM address being faulted, but it’s not a wild address. In a good advisory I’d want to see what values are under the control of the attacker, and this one doesn’t have that detail. Maybe the VM address is bad because it’s nudged by an offset value the attacker controls; then it’s game over. But maybe the VM address is bad because the test case causes an object to get freed, retained, overwritten, and used later; then it’s harder to see an exploit.

In English?

This is an exasperating advisory. Right now, Alastair doesn’t know enough to suggest that this DMG problem is just a crasher, and I don’t know enough to suggest that it’s anything more than that.

Wait, aren’t all crashes potential code execution vulnerabilities?

Smart security people tend to assume the worst case when it comes to memory corruption, and they’re usually proved right in time. The Mozilla team, for instance, puts the “possible remote code execution” tag on all memory corruption bugs. It’s usually a safe assumption, but it’s not always true.

So we really don’t have much to worry about?

Of course we do. There is zero chance that there are no HFS+ filesystem vulnerabilities that allow code execution. None. Mac users should be scared of Disk Images, and careful never to open DMGs from untrusted sources.

Why aren’t they telling Mac users that?

It’s not Alastair and John’s job to educate you about security.

What’s their job?

To make you believe that Macs are better than Windows boxes, and that security is one of the reasons why.

Viewing 17 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus