Security issue in com.apple.filesystems.ntfs kext
- Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
- Notification date: 09/07/2015
- Release date: 13/08/2015
- Status: Fixed in OS X 10.10.5
Due to a security issue in the
com.apple.filesystems.ntfs kext, an attacker
can craft a malicious NTFS image that, upon mounting, causes a NULL pointer
dereference in function
According to our investigations, we believe the crash is caused by an integer
signedness error when handling the "initialized data size of the stream"
initsize) field of the non-resident
$DATA attribute of
speculate this attribute should be unsigned, while it is actually handled as a
An attacker can thus write the malicious image on a USB drive that, when plugged into a victim's Mac, causes a kernel-level crash. Given the nature of the bug, we cannot rule out the possibility that a local attacker could craft a more complex NTFS image to perform a local privilege escalation attack.
As a proof-of-concept, our provided NTFS image has the
$MFTMirr.$DATA.initsize field set to
0xc300000000001000. Reproduce with:
$ zcat crash_minimal.img.gz > crash_minimal.img $ hdiutil attach crash_minimal.img
Otherwise, just raw copy the NTFS image on a removable USB drive and plug it into the vulnerable host.
This bug has been addressed by Apple in OS X Yosemite 10.10.5 (see HT205031).