Sign-up

ID

VAR-201008-0304


CVE

CVE-2010-1794


TITLE

Apple Mac OS X WebDAV Kernel Extension Local Denial Of Service Vulnerability

Trust: 0.9

sources: BID: 41958 // CNNVD: CNNVD-201008-007

DESCRIPTION

The webdav_mount function in webdav_vfsops.c in the WebDAV kernel extension (aka webdav_fs.kext) for Mac OS X 10.6 allows local users to cause a denial of service (panic) via a mount request with a large integer in the pa_socket_namelen field. Attackers can exploit this issue to trigger a kernel panic resulting in a denial-of-service condition. Mac OS X is a BSD-derived operating system developed and maintained by Apple. ==Notes on Disclosure== My disclosure of this issue prior to an official fix is not meant to be taken as a statement against Apple's management of security issues. Local denial-of-service issues are by nature low impact - many security teams do not regard these as security-relevant at all.\xa0 I believe the chances of exploitation of this in real life are practically non-existent.\xa0 Given that the vulnerability resides in an open source kernel extension, I chose to disclose this issue so that concerned administrators can apply a fix immediately, while the rest of us can benefit from a little increased awareness of potentially unsafe memory allocation situations.\xa0 Apple's security team was contacted prior to disclosure, and I'm sure they'll incorporate a fix in a future release. ==Solution== The WebDAV kernel extension can be obtained online [2].\xa0 The following patch can be applied to this extension, after which it should be recompiled to replace the existing extension at /System/Library/Extensions/webdav_fs.kext: --- webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c 2010-07-21 09:51:09.000000000 -0400 +++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c 2010-07-21 10:32:43.000000000 -0400 @@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp \xa0\xa0\xa0\xa0 } \xa0\xa0\xa0\xa0 /* Get the server sockaddr from the args */ +\xa0\xa0\xa0 if(args.pa_socket_namelen > NAME_MAX) +\xa0\xa0\xa0 { +\xa0\xa0\xa0 \xa0\xa0\xa0 error = EINVAL; +\xa0\xa0\xa0 \xa0\xa0\xa0 goto bad; +\xa0\xa0\xa0 } + \xa0\xa0\xa0\xa0 MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen, M_TEMP, M_WAITOK); \xa0\xa0\xa0\xa0 error = copyin(args.pa_socket_name, fmp->pm_socket_name, args.pa_socket_namelen); \xa0\xa0\xa0\xa0 if (error) ==Credits== This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com). ==References== CVE identifier CVE-2010-1794 has been assigned to this issue by Apple. [1] http://en.wikipedia.org/wiki/WebDAV [2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/

Trust: 2.07

sources: NVD: CVE-2010-1794 // JVNDB: JVNDB-2010-004050 // BID: 41958 // VULHUB: VHN-44399 // PACKETSTORM: 92180

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.6.0

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.3

Trust: 0.3

vendor:cosmicperlmodel:directory proscope:eqversion:10.0.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.03

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1

Trust: 0.3

sources: BID: 41958 // JVNDB: JVNDB-2010-004050 // CNNVD: CNNVD-201008-007 // NVD: CVE-2010-1794

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1794
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-1794
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201008-007
value: MEDIUM

Trust: 0.6

VULHUB: VHN-44399
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-1794
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-44399
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-44399 // JVNDB: JVNDB-2010-004050 // CNNVD: CNNVD-201008-007 // NVD: CVE-2010-1794

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-44399 // JVNDB: JVNDB-2010-004050 // NVD: CVE-2010-1794

THREAT TYPE

local

Trust: 1.0

sources: BID: 41958 // PACKETSTORM: 92180 // CNNVD: CNNVD-201008-007

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201008-007

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-004050

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-44399

PATCH
title:Top Pageurl:http://www.apple.com/macosx/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2010-004050

EXTERNAL IDS
db:NVDid:CVE-2010-1794
Trust: 2.9
db:BIDid:41958
Trust: 2.0
db:SECTRACKid:1024250
Trust: 1.7
db:JVNDBid:JVNDB-2010-004050
Trust: 0.8
db:CNNVDid:CNNVD-201008-007
Trust: 0.7
db:NSFOCUSid:15493
Trust: 0.6
db:BUGTRAQid:20100726 MAC OS X WEBDAV KERNEL EXTENSION LOCAL DENIAL-OF-SERVICE
Trust: 0.6
db:PACKETSTORMid:92180
Trust: 0.2
db:VULHUBid:VHN-44399
Trust: 0.1
sources:
            
            
            VULHUB: VHN-44399 // 
            
            
            
            BID: 41958 // 
            
            
            
            JVNDB: JVNDB-2010-004050 // 
            
            
            
            PACKETSTORM: 92180 // 
            
            
            
            CNNVD: CNNVD-201008-007 // 
            
            
            
            NVD: CVE-2010-1794

REFERENCES
url:http://www.securityfocus.com/bid/41958
Trust: 1.7
url:http://securitytracker.com/id?1024250
Trust: 1.7
url:http://www.securityfocus.com/archive/1/512642/100/0/threaded
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1794
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1794
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/512642/100/0/threaded
Trust: 0.6
url:http://www.nsfocus.net/vulndb/15493
Trust: 0.6
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://opensource.apple.com/source/webdavfs/
Trust: 0.3
url:/archive/1/512642
Trust: 0.3
url:http://en.wikipedia.org/wiki/webdav
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-1794
Trust: 0.1
url:http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-44399 // 
            
            
            
            BID: 41958 // 
            
            
            
            JVNDB: JVNDB-2010-004050 // 
            
            
            
            PACKETSTORM: 92180 // 
            
            
            
            CNNVD: CNNVD-201008-007 // 
            
            
            
            NVD: CVE-2010-1794

CREDITS
Dan Rosenberg
Trust: 1.0
sources:
            
            
            BID: 41958 // 
            
            
            
            PACKETSTORM: 92180 // 
            
            
            
            CNNVD: CNNVD-201008-007

SOURCES
db:VULHUBid:VHN-44399
db:BIDid:41958
db:JVNDBid:JVNDB-2010-004050
db:PACKETSTORMid:92180
db:CNNVDid:CNNVD-201008-007
db:NVDid:CVE-2010-1794

LAST UPDATE DATE
2025-04-11T23:05:57.694000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-44399date:2018-10-10T00:00:00
db:BIDid:41958date:2010-08-05T19:45:00
db:JVNDBid:JVNDB-2010-004050date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-201008-007date:2010-08-04T00:00:00
db:NVDid:CVE-2010-1794date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-44399date:2010-08-02T00:00:00
db:BIDid:41958date:2010-07-26T00:00:00
db:JVNDBid:JVNDB-2010-004050date:2012-06-26T00:00:00
db:PACKETSTORMid:92180date:2010-07-26T22:43:41
db:CNNVDid:CNNVD-201008-007date:2010-07-26T00:00:00
db:NVDid:CVE-2010-1794date:2010-08-02T20:40:00.450