Apple Mac OS X 'kextload' Format-String Vulnerability

vendor:

Mac OS X

by:

SecurityFocus

7.2

CVSS

HIGH

Format-String Vulnerability

134

CWE

Product Name: Mac OS X

Affected Version From: Mac OS X 10.3.x

Affected Version To: Mac OS X 10.4.x

Patch Exists: NO

Related CWE: N/A

CPE: o:apple:mac_os_x:10.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac OS X

2005

Apple Mac OS X ‘kextload’ Format-String Vulnerability

Apple Mac OS X 'kextload' is prone to a format-string vulnerability because it fails to sufficiently sanitize user-supplied input data. An attacker can exploit this issue to execute arbitrary machine code with superuser privileges. A successful exploit may result in the complete compromise of the affected computer.

Mitigation:

To mitigate this vulnerability, users should ensure that applications running with elevated privileges do not directly manipulate the arguments passed to kextload.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/20031/info

Apple Mac OS X 'kextload' is prone to a format-string vulnerability because it fails to sufficiently sanitize user-supplied input data.

This issue is not exploitable by itself, because kextload is not installed as a setuid-superuser application by default. To exploit this issue, an attacker must use another application running with elevated privileges in order to directly manipulate the arguments passed to kextload.

An attacker can exploit this issue to execute arbitrary machine code with superuser privileges. A successful exploit may result in the complete compromise of the affect computer.

Example of kextload format-string vulnerability affecting TDIXSupport:

netragard-test:$ ./TDIXSupport %x%x%x%x%x%x%/TDIXController.kext
kextload: /Library/Application Support/Roxio/90b4b6ca1c6973747365206578682062756e646c65/TDIXController.kext: no such bundle file exists can't add kernel extension %x%x%x%x%x%x%/TDIXController.kext (file access/permissions) (run kextload on this kext with -t for diagnostic output)