Mac OS X Proof Of Concept Exploit Code Published
The software has the ability to create a new system volume, call to some OS functions, and change the user ID, without administrative privileges.
Proof-of-concept exploit code has been posted online for six kernel vulnerabilities, five of which affect Mac OS X 10.5.6, the most current version of Apple's operating system software.
The vulnerabilities were discussed at CanSecWest 2009 last week during a talk about security flaws in the FreeBSD, Mac OS X, and Solaris kernels by security researchers Christer Oberg and Neil Kettle of Convergent Network Solutions.
More Hardware Insights
- The Critical Importance of High Performance Data Integration for Big Data Analytics
- Technology Economics with Linux Consolidation
- Top 10 Considerations for Getting Started with Virtualization
- Don't Get Stuck on your Virtualization Journey: Where to Focus Next
One of them, a local kernel root exploit in FreeBSD 7.0/7.1, has been patched.
The five that affect Mac OS X, which uses the Mach kernel and incorporates portions of FreeBSD Unix, remain unpatched.
In an e-mail, Kettle explained that the vulnerabilities exploited were not disclosed to Apple when they were found and remained private until they were published to Milw0rm.com on Monday. He said no one has yet complained about the disclosure of the vulnerabilities, noting that in his experience, kernel bugs are not as serious as other vulnerabilities. "We wanted to show how easy it still is to break production kernels in well-used operating systems," he said.
Inaki Urzay, CTO of Panda Security, said the proof-of-concept code isn't an immediate threat but that it could be in the future. "The vulnerabilities are proofs of concept that demonstrate the code can take control of a machine, either via creating a privilege escalation modifying the users or launching DoS local attacks against the PC," he said in an e-mail. "The proof of concept code has the ability to create a new system volume, call to some OS functions, change the user ID, and so on, without administrative privileges."
The PoC code is designated as follows: 1) Mac OS X xnu <= 1228.3.13 (zip-notify) Remote Kernel Overflow PoC; 2) Mac OS X xnu <= 1228.3.13 (macfsstat) Local Kernel Memory Leak/DoS; 3) Mac OS X xnu <= 1228.3.13 (profil) Kernel Memory Leak/DoS PoC; 4) Mac OS X xnu <=1228.x (vfssysctl) Local Kernel DoS PoC; and 5) Mac OS X xnu <= 1228.x (hfs-fcntl) Local Kernel Root Exploit.
Kettle offered the following explanations for the five exploits: