Leopard and Snow Leopard flaw exploited in proof of concept, real-world tomfoolery surely coming soon
By Tim Stevens 
posted January 13th 2010 9:05AM
posted January 13th 2010 9:05AM
Look at you, all cuddled up with your Leopard install, sipping on a steamy hot cocoa, watching the snow fall outdoors, and thinking you don't have a care in the world. We hate to break it to ya but you do have a care, a big one, thanks to a proof of concept hack exploiting a buffer overflow in MacOS 10.5 and 10.6. The flaw has been known about since June, but only now has it been proven to work on Cupertino's latest, and a very straightforward code example of how to use it has been posted online. You know what that means: watch out for those e-mail attachments. Interestingly, the flaw is also said to possibly exist in the PS3 as well, which could make for a very interesting spring -- cocoa or no.
meh
So I have compiled and run both of the code fragments from the linked site and the programs ran without giving the bus errors the article would lead me to expect.
Has this been fixed but Apple didn't mention it in the update release notes?
@Jack *Facepalm while whispering, "Dumbass..."
@iKurtz
Are you roleplaying in Engadget's comment section?
Nobody here ever had a virus, and experts say 95% of the users are unaware they are infected, but I'm sure there is no correlation.
I also like the tons of people who don't run any protection and say they never have a virus, which they know by the means of religious (or republican) 'faith' I guess?
As for apple, apple has more than once patched OSX for security reasons, they aren't immune, and neither is linux, it's just harder to hack, and the rank stupidity you see in windows isn't maintained for decades like MS does before even considering fixing it.
The number of routines without any sanity checking on its input in windows is best described as 100% at start, and then every single routine is patched until the next one is abused then that is patched, and on and on, for years and years.
@Wwhat 99% of the 95% of the "experts" are trying to sell you an anti-virus program. You listen unquestioning to advertisements and paid endorsements, no wonder you own a mac.
@SirNoDroin
although it's true many viruskiller producers produce scare stories on a regular basis there are also reports from other parties, people that manage the backbones and such, and from trials, like that spammer who's on trial in australia who mailed 1 billion spam mails a day, and he could by using infected machines, because obviously that won't work from one connection.
Also I never owned a mac and probably never will, the whole OSX experience is too stifling for the likes of me, I say probably since windows is trying to become like OSX and the more they succeed the more they alienate me, but there's always linux, although I find that a bit clunky, and lacking in the games department of course.
@AndyTemp
I did the same thing and then saw your comments. I don't see this as an issue in MacOSX 10.6.2. Can someone confirm this as an actual exploit?
@shakespeerMT
It's a proof of concept, there is no actual exploit.
@Jack - yeah, Jack, keep saying that till one day...
@johnguy
If there's an exploit, you're welcome to show it to me. Go ahead, link it. If not, then what day do you think this exploit will be coming out? I mean somebody could write a trojan for it and start sending it out to people, but it's not like it would be able to run on its own.
The buffer overflow has been known about since June. Still no actual exploits. How much longer should we wait?
@shakespeerMT
First a hacker finds a piece of code that doesn't check the (usually ) text input isn't longer than it expects and writes over memory that it should not. This is a buffer overflow.
Then the hacker finds the particular piece of text that overwrites the particular bit of memory as to alter the code to do what the hacker wants to do.
Then he has to get a program on a vulnerable system to take his input at pass it to the particular subroutine. He can hope that there is a serive already running and listening to the internet for input or more likely he can get the user of the machine to visit a website he has created that uses a plugin or javascript or other device that makes the computer call the vulnerable subroutine with his input.
This proof of concept claims that it has found the first part of this. I have tried to verify this but the code presented doesn't do as the writer of the article claims.
This looks like a non-starter to me
@AndyTemp
I am well-versed in the idea of a buffer-overflow-based attack. I am simply confirming that neither piece of code supplied by the author of the exploit actually causes a buffer overflow.
My guess is that Apple has already identified this or has implemented checks before the "bad" code is executed -- perhaps in their printf implementation, for example.
I suppose it doesn't mean that the vulnerability isn't there but if there isn't a way to reach it programatically then this is not worth discussing. The only way to get this to work might be to find the exact memory location of that method in the kernel and access it via the memory address rather than through the SDK. It's a long-shot at best.
@shakespeerMT
I appreciate that you may know how buffer overruns can be a problem
(http://insecure.org/stf/smashstack.html)
Rather that there is an old static library hanging round *not in memory* that still has the vulnerable code but it isn't called by any programs that are linked against the dyamic library that is the default. the dynamic lib seems to be fine.
Dunno what that old static lib is though...
Does this mean anything for my 10.4 Tiger machine, or is it only for the Leopards?
Also, I'm glad to see this potential defect out in the open, because it probably means we'll get a security update this week to fix it.
@(Unverified)
10.6.3 has been expected as a Jan release for a while now.
They're just gonna release that stuff around the same time as the tablet.
... since june 09? must be a invisible worm or such because nobody complained since that time!
@Jack
STFU
One Virus I don't get on a PC :D
Alright hackers, so I can't use my Windows, or my Mac, OR my PS3...but you don't have a virus for my carrier pigeons!
...
What? Bird flu?
...
DAMN YOU HACKERS!
AHHH!
Ok... Just don't any emails. Simple.
only about 9999 more viruses and it will be equal with pc
"Patch your OS. Not that big of a deal."
Steve Jobs
Whats the big fuss, windows users have been at risk from theese things since genesis!!!!
lol omg...im sure Apple will find a fix for this..c'mon
@JW
Good comeback. Do you write for Leno?
@Jack I phone has built in GPS and Compass
Don't worry Microsoft fans, you're not being left out of the vulnerability party!
http://www.wired.com/threatlevel/2010/01/hack-of-adob
(of course, this actually can and has be used against real people right now rather than this mere concept)
Well i can't seem to find a source that says a Trojan requires user interaction to start the infection. What i do find is that a trojan can masqurade as a usefull program to a user. But does not mean it requires user interaction.
But technically..if i put on say firefox with no script, and beef up my overall OS security wouldnt almost everything require user interaction and thus all virus' become trojans by Jack's definition?
Say i go to a website, with no script up nothing can run unless i ALLOW it to run. Or I go to an internet cafe, the only way people could access my computer even via the internet is if i turn on my wireless adapter..hell even turn on my laptop. Which all requires my input and my acceptance.
So if you say a trojan requires me to do something wrong..than doesnt a virus?
sophos article which defines there meaning of a trojan
http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html
wikipedias
http://en.wikipedia.org/wiki/Trojan_horse_(computing)
note ither of them say the user has to actually interact with them