DMG Handling Vulnerabilities on MacOSX

Published: 2007-01-14
Last Updated: 2007-01-15 16:22:30 UTC
by Scott Fendley (Version: 3)
0 comment(s)
In the past week, the Month of the Apple Bugs website has shown a number of vulnerabilities with how MacOSX handles DMG files.  DMG files are the Macintosh OS X Disk Copy Disk Image Files and similar to ISO images.  As they can be mounted, read, opened using various software packages (such as the Safari web browser and the command line utilities like hdiutil), specially crafted forms of this file may cause denial of service attacks, and remote execution flaws.

Of particular note, on January 10 a vulnerability was identified which could allow attackers to execute arbitrary commands.  This is caused by a flaw in the ffs_mountfs() function when handling specially crafted DMG files.  The Safari web browser can be used as a conduit for exploitation of this and other DMG vulnerabilities.  I would assume that alternate browsers on MacOSX, do not have the same support for this format enabled by default.  But if the attacker tricks the user to download the specially crafted image file, then I would suspect exploitation could occur through other installed software.

While Apple computers is correcting for the vulnerabilities, I would recommend that you  disable the "open safe files after downloading" option in Safari preferences.  I would also be cautious handling DMG files with any other applications on MacOSX.

For more information on all of the Apple DMG vulnerabilities released so far, please see:
Apple DMG HFS+ do_hfs_truncate() Denial of Service Vulnerability
Apple DMG UFS  ufs_lookup() Denial of Service Vulnerability
Apple DMG UFS byte_swap_sbin() Integer Overflow Denial of Service Vulnerability
Apple DMG UFS ffs_mountfs() Integer Overflow DoS and/or Code Execution Vulnerability
Apple Finder DMG Volume Name Memory Corruption  DoS and/or Code Execution Vulnerability

For more information on the ffs_mountfs() vulnerability, please see:
0 comment(s)


Diary Archives