[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Local DOS in MacOS X
About 6 month I found a security hole in all versions of MacOS X,
making it vulnerable to a local dos attack. I've experimented a bit and
found nothing fun to do with it except bringing the computer down. Now
I just feel I've sat on this shit to long, so here goes:
There is something wrong in the way that the system handles arguments
to MacOS applications from the commandline. The same thing happens with
all applications that comes with the default installation and all
others that I've tried.
If i do:
[Gaz:~] gustaf% Applications/TextEdit.app/Contents/MacOS/TextEdit `perl
-e"print 'a' x 100000"`
Word too long.
The terminal hangs. This is csh crashing and doesn't do anything to the
rest of the system.
If i start bash and do the same thing I get:
bash: /Applications/TextEdit.app/Contents/MacOS/TextEdit: Argument list
Now. If i do the same thing with 50000 a's instead, the program
TextEdit will start up (or i will get a no-windowserver-error if done
If I narrow it down by guessing I will find a single number where,
instead of starting TextEdit or saying "too long", the terminal will
hang. So will the rest of the system. Stone dead. Nothing in the logs.
No telling why.
This "magic" number of bytes that crashes the system is found somewhere
between 50000 and 70000 depending on which program you use to exploit
and just plain coincidence.
I've tested on OS X 10.0.4, 10.1.5 and 10.2.2 on 4 different computers.
I've done it through Terminal, >console and via ssh. Same result
That's it folks. Sorry for not submitting a better bugreport.
Independent OS X geek