Shulou(Shulou.com)06/01 Report--

This article introduces the Apple XNU kernel buffer overflow early warning example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

0x00 event background

Kevin Backhouse of the 2018-10-31 lgtm team published some detailed analysis of the buffer overflow triggered by the Apple XNU kernel when dealing with abnormal ICMP packets on lgtm blog. At present, the author has realized that any affected device can be directly restarted in the same LAN and mentioned that the authentication poc will be released directly later.

0x01 affects version

Apple iOS 11 and below: full equipment

Apple macOS High Sierra, 10.13.6 and below: all equipment

Apple macOS Sierra, 10.12.6 and below: all equipment

Full version of Apple OS X El Capitan: all devices

0x02 repair recommendation

Apple iOS 11 and below

(update to iOS 12)

Apple macOS High Sierra, 10.13.6 and below: all equipment

(install Security Update 2018-001)

Apple macOS Sierra, 10.12.6 and below: all equipment

(install Security Update 2018-005)

Full version of Apple OS X El Capitan: all devices

(up to now, Apple has not released patch. It is recommended to update it to a higher version)

0x03 vulnerability verification

Before sending a packet

After the packet is sent

0x04 vulnerability trigger point

Located in the release of XNU source code bsd/netinet/ip_icmp.c:339

M_copydata (n, 0, icmplen, (caddr_t) & icp- > icmp_ip)

According to the author's description, the code is in the function icmp_error, which is designed to generate an error packet of the wrong type in response to the wrong packet ip, which sends an error message in compliance with the ICMP protocol

The header of the packet that caused the error is contained in the ICMP message, so the purpose of calling m_copydata on line 339 is to copy the header of the error packet into the generated ICMP message, but the problem is that the header is not verified to exceed the size of the copied buffer, resulting in a buffer overflow.

The target buffer is a mbuf. Mbuf is a data type that stores incoming and outgoing network packets.

In this code, n is the incoming packet (containing untrusted data) and m is the outgoing ICMP packet.

As we will see, icp is a pointer to m. M is assigned on line 294 or line 296:

If (MHLEN > (sizeof (struct ip) + ICMP_MINLEN + icmplen))

M = m_gethdr (M_DONTWAIT, MT_HEADER); / * MAC-OK * /

Else

M = m_getcl (M_DONTWAIT, MT_DATA, M_PKTHDR)

At line 314, mtod is used to get the data pointer of m

Icp = mtod (m, struct icmp *)

Mtod is just a macro, so this line of code does not check whether mbuf is sufficient to accommodate the icmp structure.

In addition, the data is not copied to icp, but to icp- > icmp_ip, which has an offset of + 8 bytes from icp.

The author did not debug the XNU kernel in detail.

Based on what the author sees in the source code, the author believes that m_gethdr has created a mbuf that can hold 88 bytes, and is not sure about m_getcl.

According to the author's actual experiment, it is found that the buffer overflow will be triggered when icmplen > = 84.

On the Apple XNU kernel buffer overflow warning example analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.