what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mac OS X WebDAV Kernel Extension Denial Of Service

Mac OS X WebDAV Kernel Extension Denial Of Service
Posted Jul 26, 2010
Authored by Dan Rosenberg

The Mac OS X WebDAV kernel extension is vulnerable to a denial of service issue that allows a local unprivileged user to trigger a kernel panic due to a memory overallocation.

tags | advisory, denial of service, kernel, local
systems | apple, osx
advisories | CVE-2010-1794
SHA-256 | d6f15be99289fd0bcf6c81b9793b54371556cccddb48c1a7ecd9884a927c66d7

Mac OS X WebDAV Kernel Extension Denial Of Service

Change Mirror Download
===================================================================
 Mac OS X WebDAV kernel extension local denial-of-service
 July 26, 2010
 CVE-2010-1794
===================================================================

==Description==

"Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers." [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension.  Local users can mount WebDAV shares using the
"mount_webdav" utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation.  This vulnerability has been verified with
proof-of-concept code.  The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

"args" is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
"pa_socket_namelen" field.  If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

==Notes on Disclosure==

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple's management of security issues.
Local denial-of-service issues are by nature low impact - many
security teams do not regard these as security-relevant at all.  I
believe the chances of exploitation of this in real life are
practically non-existent.  Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations.  Apple's security team was
contacted prior to disclosure, and I'm sure they'll incorporate a fix
in a future release.

==Solution==

The WebDAV kernel extension can be obtained online [2].  The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

--- webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
     }

     /* Get the server sockaddr from the args */
+    if(args.pa_socket_namelen > NAME_MAX)
+    {
+        error = EINVAL;
+        goto bad;
+    }
+
     MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
     error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
     if (error)


==Credits==

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com).

==References==

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] https://en.wikipedia.org/wiki/WebDAV
[2] https://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close