Vulnerability in Mac OS X memory subsystem
Brazilian security specialist Adriano Lima of Rise Security has published a report on a vulnerability in the Mac OS X 10.4.8 Shared Memory Server subsystem. The subsystem allows both kernel and user applications to share program code and data. Insufficient checking of the size of a buffer when calling the function shared_region_map_file_np with a very large mapping_count parameter leads to a memory violation. Lima has included proof of concept code in his advisory, which froze a Mac Mini (Intel) in tests by the heise Security editorial team.
According to Lima, it should be possible to exploit the vulnerability to write code to specific memory areas and thus to achieve privilege escalation. No patch is available, Apple has, however, been informed. As the vulnerability can only be exploited by users logged onto the system, the risk of a successful attack is minimal - unless the attacker has already gained access to the system via another vulnerability in the network service and now wishes to escalate their privileges. There are also, however, other means to achieve this under Mac OS X.
- Apple Mac OS X 10.4.x kernel shared_region_map_file_np() memory corruption vulnerability, security advisory from Rise Security