‘Apple HFS Information Disclosure Vulnerability’

Summary

Apple HFS contains a vulnerability that could lead to reading arbitrary files from an HFS, HFS+ or HFS+j File System.’

Credit:

‘The information has been provided by Dan Rosenberg.
The original article can be found at: http://support.apple.com/kb/HT4581


Details

Vulnerable Systems:
 * Apple OS X all versions

Users may interact with the filesystem using the standard ioctl interface. HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to read raw data from an HFS+ filesystem. The ioctl intends to ensure that this data is restricted to the first 1024 bytes, where bootstrap information is stored. However, due to an integer overflow in the code that attempts to enforce this restriction, it is possible for an unprivileged user to use this ioctl to read large portions of filesystem data outside of this byte range, leading to an information disclosure vulnerability.

The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:
if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
    return EINVAL;

If a user provides values for the fbt_offset and fbt_length members such that their sum overflows and wraps around to an integer less than 1024, portions of filesystem data outside the intended range will be read and returned to the user.

Patch Availability:
Apply the fix provided by Apple’s OS X security update
http://support.apple.com/kb/HT4581

CVE Information:
CVE-2011-0180

Disclosure Timeline:
2010-07-01 Apple was provided a draft advisory
2010-07-02 Apple acknowledges receipt of advisory
2011-03-21 Apple publishes fix’

Categories: UNIX