OS X 10.11.1 (El Capitan) File System Deep Directory Buffer Overflow

Published: 2015-10-23
Last Updated: 2015-10-23 15:52:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Maksymilian Arciemowicz of CXSECURITY released an advisory showing an unpatched buffer overflow in Apple's FTS library [1]. The "FTS" function is used by commands like "ls" and "cd" on Unix/BSD systems to traverse the file system. The exploit does not appear to present a serious threat right now as it requires an authenticated user on the system with the ability to create directories. It doesn't appear to lead to privilege escalation.

In order to trigger the vulnerability, the attacker will have to create a very deep set of subdirectories. Maksymilian creates 1024 with a simple bash script. While creating these directories, an error message, "cd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory" will be displayed.

After returning to the top of the nested subdirectory structure, a recursive "ls -laR" will lead to a segmentation fault.

The impact of this vulnerability is likely small as it is not exploitable remotely and requires a user to be already logged in. But Maksymilian notes that man AV tools will miss binaries located more then 512 directories deep in such a nested file system, so it could be used to hide malware. 

[1] https://cxsecurity.com/issue/WLB-2015100149

Johannes B. Ullrich, Ph.D.

0 comment(s)


Diary Archives