Alastair Houghton Debunks LMH MOKB Finding

Thomas Ptacek | November 30th, 2006 | Filed Under: Apple, New Findings, Uncategorized

Alastair Houghton, past Matasano sniping target, on LMH’s DMG finding:

Because of this, on the second pass through this loop, vm_fault() gets called with address set to point to a non-aligned address inside the first buffer held by the IODeblocker.

Note that it isn’t possible for it to point outside of this buffer, because the segment length, held in segLen has to be in the range 0x1 ≤ segLen ≤ 0x1ff as it’s set up by the IODeblocker to buffer the misaligned part at the beginning of the read. The buffer itself is larger than that, so there’s no chance of any mischief because the ability of a potential attacker to set the address at which vm_fault() gets called is extremely restricted.

Anyway, it is the call to vm_fault() with a non-aligned address that is causing the kernel panic.

So, what have we learned:

  1. It is not a memory overwrite bug.

  2. It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.

  3. It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.

Sometimes you pick on a Mac Zealot and they turn around and kick your ass for it. That’s what happened here. Alastair’s analysis is excellent. Hopefully he’ll do this again for other complicated Mac findings.

I apologize for conflating Alastair with Gruber. =) No, wait, I simply apologize to Alastair. Sorry.

An important takeaway point from this: DMGs are a high-risk feature, and one that OS X has substantially greater exposure to than other operating systems. What we had here was a flaw in the DMG loader code. Compared to the underlying filesystem code that runs when the DMG header itself is valid, the DMG code is simple stuff. Long story short: expect more DMG-style problems to come.

Viewing 7 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus