[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Local DOS in MacOS X

About 6 month I found a security hole in all versions of MacOS X, making it vulnerable to a local dos attack. I've experimented a bit and found nothing fun to do with it except bringing the computer down. Now I just feel I've sat on this shit to long, so here goes:

There is something wrong in the way that the system handles arguments to MacOS applications from the commandline. The same thing happens with all applications that comes with the default installation and all others that I've tried.
If i do:

[Gaz:~] gustaf% Applications/TextEdit.app/Contents/MacOS/TextEdit `perl -e"print 'a' x 100000"`
Word too long.

The terminal hangs. This is csh crashing and doesn't do anything to the rest of the system.
If i start bash and do the same thing I get:

bash: /Applications/TextEdit.app/Contents/MacOS/TextEdit: Argument list too long

Now. If i do the same thing with 50000 a's instead, the program TextEdit will start up (or i will get a no-windowserver-error if done through ssh). If I narrow it down by guessing I will find a single number where, instead of starting TextEdit or saying "too long", the terminal will hang. So will the rest of the system. Stone dead. Nothing in the logs. No telling why. This "magic" number of bytes that crashes the system is found somewhere between 50000 and 70000 depending on which program you use to exploit and just plain coincidence.

I've tested on OS X 10.0.4, 10.1.5 and 10.2.2 on 4 different computers. I've done it through Terminal, >console and via ssh. Same result everytime.

That's it folks. Sorry for not submitting a better bugreport.

Gustaf Josefsson
Independent OS X geek