# Mac OS X searchfs integer overflow



## eddie5659 (Mar 19, 2001)

Mac OS X version 10.3.4 and possibly other versions are vulnerable to an integer overflow in the searchfs function, caused by improper handling of the sizeofsearchparams1 and sizeofsearchparams2 variables in a fssearchblock structure. A local attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with elevated privileges.

*Platforms Affected:

Apple Computer, Inc.: Mac OS 10.3.4*

http://xforce.iss.net/xforce/xfdb/18980

Regards

eddie


----------



## MSM Hobbes (Apr 23, 2004)

Thanks for posting this! :up: Why no word from Apple or other sources?  

Also, found this too [maybe be good to have a thread just for alerts, etc.?]:

I realize that this is older, but seems similar to me?

http://www.securitytracker.com/alerts/2004/Sep/1011174.html
Mac OS X CoreFoundation Buffer Overflow and Library Loading Bugs Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1011174
SecurityTracker URL: http://securitytracker.com/id?1011174
CVE Reference: CAN-2004-0821 , CAN-2004-0822 (Links to External Site)
Date: Sep 7 2004
Impact: Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes 
Version(s): 10.2.8, 10.3.4, 10.3.5
Description: Two vulnerabilities were reported in Apple Mac OS X in CoreFoundation. A local user can execute arbitrary code.

Apple reported that a local user can cause an application using CoreFoundation CFPlugIn facilities to load an arbitrary user-supplied library [CVE: CAN-2004-0821] with the privileges of the application. A local user can gain elevated privileges.

The vendor credits Kikuchi Masashi with reporting this flaw.

It is also reported that a local user can modify a certain environment variable to trigger a buffer overflow in CoreFoundation [CVE: CAN-2004-0822] and execute arbitrary code with elevated privileges.

The vendor credits [email protected] with reporting this flaw.
Impact: A local user can cause arbitrary code to be executed with elevated privileges.
Solution: The vendor has released a fix as part of Security Update 2004-09-07, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/


----------



## eddie5659 (Mar 19, 2001)

I've seen a few reports on Mac's, but up till now, we never had a forum. I'll keep you updated on any that I find.

As for no notice from Apple, the one above has no remedy as of yet, so they may/may not know about it. The vendor (Apple, in this case), is usually contacted, but its up to them to issue patches, etc.

eddie


----------

