Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DMG Handling Vulnerabilities on MacOSX SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DMG Handling Vulnerabilities on MacOSX
In the past week, the Month of the Apple Bugs website has shown a number of vulnerabilities with how MacOSX handles DMG files.  DMG files are the Macintosh OS X Disk Copy Disk Image Files and similar to ISO images.  As they can be mounted, read, opened using various software packages (such as the Safari web browser and the command line utilities like hdiutil), specially crafted forms of this file may cause denial of service attacks, and remote execution flaws.

Of particular note, on January 10 a vulnerability was identified which could allow attackers to execute arbitrary commands.  This is caused by a flaw in the ffs_mountfs() function when handling specially crafted DMG files.  The Safari web browser can be used as a conduit for exploitation of this and other DMG vulnerabilities.  I would assume that alternate browsers on MacOSX, do not have the same support for this format enabled by default.  But if the attacker tricks the user to download the specially crafted image file, then I would suspect exploitation could occur through other installed software.

While Apple computers is correcting for the vulnerabilities, I would recommend that you  disable the "open safe files after downloading" option in Safari preferences.  I would also be cautious handling DMG files with any other applications on MacOSX.

For more information on all of the Apple DMG vulnerabilities released so far, please see:
Apple DMG HFS+ do_hfs_truncate() Denial of Service Vulnerability
Apple DMG UFS  ufs_lookup() Denial of Service Vulnerability
Apple DMG UFS byte_swap_sbin() Integer Overflow Denial of Service Vulnerability
Apple DMG UFS ffs_mountfs() Integer Overflow DoS and/or Code Execution Vulnerability
Apple Finder DMG Volume Name Memory Corruption  DoS and/or Code Execution Vulnerability

For more information on the ffs_mountfs() vulnerability, please see:

189 Posts
ISC Handler
Jan 15th 2007

Sign Up for Free or Log In to start participating in the conversation!