Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Security issue in com.apple.filesystems.ntfs kext

  • Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
  • Notification date: 09/07/2015
  • Release date: 13/08/2015
  • Status: Fixed in OS X 10.10.5

Due to a security issue in the com.apple.filesystems.ntfs kext, an attacker can craft a malicious NTFS image that, upon mounting, causes a NULL pointer dereference in function ntfs_mft_mirror_check().

According to our investigations, we believe the crash is caused by an integer signedness error when handling the "initialized data size of the stream" (initsize) field of the non-resident $DATA attribute of $MFTMirr. We speculate this attribute should be unsigned, while it is actually handled as a signed value.

An attacker can thus write the malicious image on a USB drive that, when plugged into a victim's Mac, causes a kernel-level crash. Given the nature of the bug, we cannot rule out the possibility that a local attacker could craft a more complex NTFS image to perform a local privilege escalation attack.

As a proof-of-concept, our provided NTFS image has the $MFTMirr.$DATA.initsize field set to 0xc300000000001000. Reproduce with:

$ zcat crash_minimal.img.gz > crash_minimal.img
$ hdiutil attach crash_minimal.img

Otherwise, just raw copy the NTFS image on a removable USB drive and plug it into the vulnerable host.

This bug has been addressed by Apple in OS X Yosemite 10.10.5 (see HT205031).