Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to enhance the rights of the system through macOS's disk management tools. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

ZDI researcher "ccpwd" discovered a heap-based buffer overflow vulnerability in a macOS daemon called "diskmanagementd". The diskmanagementd service is mainly responsible for managing and partitioning disk drives, and users can interact with the service through the disk utility (Disk Utility). The service will run a Mach server and allow the client to use the Mach IPC interface to communicate with the server (send and receive information). Through this RPC mechanism, the client can execute various functions generated by MIG (Mach interface generator) in the Mach server.

Loophole analysis

All communication data needs to be initialized by launchd, that is, macOS's init. More details about the process can be learned by looking at its information properties list file, which is as follows:

/ System/Library/LaunchDaemons/com.apple.diskmanagementd.plist

At first, the daemon assigns a calling function that will be called by internal process communication when sending and receiving Mach messages later.

Here, CFMachPortCreateWithPort assigns a function sub_10000C241 as the callback function responsible for processing Mach messages, and the address to receive Mach messages is 0x10000BE1F. An action instruction or function is passed based on a value in the msgh_id,Mach message. ID,sub_10000C241 indirectly uses this ID as the scheduling table index for the two remote functions. Sub_100001DA2 and sub_100002005 are responsible for starting and removing subsequent communication sessions, respectively.

The Mach port communicates unidirectionally, which means that each request sent and received needs to use a separate port, which Apple calls:

"A port is the endpoint of an one-way communication channel between the client requesting the service and the server providing the service. If you want to reply to such service requests, you must use a second port, which is similar to the (one-way) pipeline in Unix."

The function sub_10000CCA9 is accessible through sub_100001DA2, and another Mach port is created by calling back the function sub_10000DACC. The port is stored in a dictionary with the key name "Comms-F2TPort". The 0x1000 byte of the buffer is used to process the response to the Mach message, and the information is stored in the dictionary where the key name is "reply Comms-F2T-replyarea".

Where setObject:forKey is used to add key-value pairs to the dictionary:

When the client sends a message, the sub_10000DACC will be triggered and the MIG remote program call will be accessed according to msgh_id. Next, we focus on the function sub_1000087C9:

A buffer overflow occurs in the sub_1000087C9 function and occurs when the offset of the user's input data length is calculated to exceed 0x1000.

The 0x1000 response buffer is basically R14, and user input starts at the offset 0x38, so the rest of the 0xfc8

The byte is the user input area, and when the input data is populated at 0xfc8, strlen will return the same value. After calculation, the final value is 0xfcc [(0xfc8 + 1) + 3) & 0xfffffffc]. At the address 0x100008ABD, the offset will become 0x1004 [0xfcc+0x38], where 4 bytes of data are allowed to be leaked and written, so attackers can take advantage of this feature to implement attacks. However, the data leakage effect here is not very significant, because the size is only 0x1000, and the write operation needs to be done at 0x1004, which means that the program can only read 4 bytes of data from subsequent data blocks.

There are several restrictions. The first is that the input data cannot contain null characters, as this will cause strlen to stop at the empty character. Another limitation is that the data written after the end of the buffer will always be the content of var_dc, which is the error code returned by sub B30.

The above is the editor for you to share how to use macOS disk management tools to achieve system power, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.