Hello. About 6 month I found a security hole in all versions of MacOS X, making it vulnerable to a local dos attack. I've experimented a bit and found nothing fun to do with it except bringing the computer down. Now I just feel I've sat on this shit to long, so here goes: There is something wrong in the way that the system handles arguments to MacOS applications from the commandline. The same thing happens with all applications that comes with the default installation and all others that I've tried. If i do: [Gaz:~] gustaf% Applications/TextEdit.app/Contents/MacOS/TextEdit `perl -e"print 'a' x 100000"` Word too long. The terminal hangs. This is csh crashing and doesn't do anything to the rest of the system. If i start bash and do the same thing I get: bash: /Applications/TextEdit.app/Contents/MacOS/TextEdit: Argument list too long Now. If i do the same thing with 50000 a's instead, the program TextEdit will start up (or i will get a no-windowserver-error if done through ssh). If I narrow it down by guessing I will find a single number where, instead of starting TextEdit or saying "too long", the terminal will hang. So will the rest of the system. Stone dead. Nothing in the logs. No telling why. This "magic" number of bytes that crashes the system is found somewhere between 50000 and 70000 depending on which program you use to exploit and just plain coincidence. I've tested on OS X 10.0.4, 10.1.5 and 10.2.2 on 4 different computers. I've done it through Terminal, >console and via ssh. Same result everytime. That's it folks. Sorry for not submitting a better bugreport. Gustaf Josefsson Independent OS X geek
This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 20:37:04 PST