Vulnerability in AppleTalk causes a Mac to hang
Following the disclosure of a DoS vulnerability in Apple's Finder, the Month of Apple Bugs team has now presented four more DoS vulnerabilities relating to the processing of DMG images in Mac OS X. These are, however, essentially leftovers from the November Month of Kernel Bugs and cannot really be described as new bugs. Some even already have CVE entries (Common Vulnerabilities and Exposures).
On top of this, the 14th vulnerability also looks likely to stir up some controversy. A vulnerability in AppleTalk can be exploited to crash the system. A test of this exploit by the heise Security editorial team caused a MacMini running Mac OS X 10.4.8 to hang as a result of a kernel panic. The bug can apparently also be exploited from the local area network.
According to the bug report, as this is a heap overflow it may also be possible to inject and execute code. However, AppleTalk is only used on the local network, meaning that the circle of possible attackers is limited to workmates and housemates. The cause of the problem is the failure to check the length of buffers in the ATPsndrsp function when validating user parameters. An official patch is not yet available. AppleTalk is deactivated by default, and it can also be deactivated with the command sudo appletalk -d.
Landon Fuller's MOAB fixes group, which originally planned to release a patch for each MOAB bug, is currently lagging somewhat behind. The cumulative patch includes fixes for vulnerabilities one to seven only. The tenth bug is currently under discussion.
Two of the bugs relating to processing of DMG images can apparently be used to introduce malicious code onto a system. This requires the user to mount and load an image with the UFS file format. An error processing prepared images in HFS+ format can apparently even lead to loss of data on the local file system. Proof of concept exploits demonstrating the problem are available for all of the published vulnerabilities.
- AppleTalk ATPsndrsp() Heap Buffer Overflow Vulnerability, bug report from MOAB