Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

macOS LaunchServices Denial of Service

Medium

Synopsis

Tenable has discovered a possible vulnerability in the LaunchServices framework – the 'lsd' service in particular. The vulnerability is a local denial-of-service. We have verified this vulnerability is present on the latest versions of macOS at the time of this submission. This service is used to determine various behaviors during the launch of a given file or application. For example, file extension association.

In short, it does not appear that there is any size limitation applied to entries for the LSDatabase structure. As this structure is stored on disk, loaded into memory, and updated automatically as applicable files/structures hit the disk (such as being download from the internet, copied, etc.), this could lead to resource exhaustion on the host as well as a crash of the lsd service.

As an example scenario to reproduce this behavior:

  • Create and build sample Cocoa application via XCode
    • The application does not need any implemented functionality. The purpose of this is to create an appropriate app structure
  • Build and locate the sample app
  • In Info.plist (<app name>.app/Contents/Info.plist), ensure that there is data that lsd makes use of. For this example, we'll use CFBundleURLSchemes. See the following for an example Info.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BuildMachineOSBuild</key>
<string>18A391</string>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
<string>test_app</string>
<key>CFBundleIdentifier</key>
<string>com.jimi.test-app</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>test_app</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLName</key>
<string>com.foo.bar.dinobytes</string>
<key>CFBundleURLSchemes</key>
<array>
<data>
this_is_a_test_URL_scheme
</data>
</array>
</dict>
</array>
<key>CFBundleVersion</key>
<string>1</string>
<key>DTCompiler</key>
<string>com.apple.compilers.llvm.clang.1_0</string>
<key>DTPlatformBuild</key>
<string>10B61</string>
<key>DTPlatformVersion</key>
<string>GM</string>
<key>DTSDKBuild</key>
<string>18B71</string>
<key>DTSDKName</key>
<string>macosx10.14</string>
<key>DTXcode</key>
<string>1010</string>
<key>DTXcodeBuild</key>
<string>10B61</string>
<key>LSMinimumSystemVersion</key>
<string>10.14</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2019 James Sebree. All rights reserved.</string>
<key>NSMainStoryboardFile</key>
<string>Main</string>
<key>NSPrincipalClass</key>
<string>NSApplication</string>
</dict>
</plist>

  • Modify this file (the value of "this_is_a_test_URL_scheme" specifically in this scenario, though other fields also cause this issue) to be excessively large (in excess of a gig)
  • Copy and paste the entire app folder to trigger the issue. This can be triggered in many different ways, but for proof-of-concept purposes, a copy and paste will suffice.

As soon as the paste finishes, lsd will begin processing the app. It will copy the Info.plist into memory, store this excessively large value in memory, and subsequently store the values in the LSDatabase. Accessing this value, storing new values in memory, or just periodic checks within this service are enough to cause a segfault and crash the service, which causes launchd to spawn a new instance of lsd. This again loads the database into memory. Over time, this can exhaust system resources by using all available memory, and causing swap space to grow large enough to cause the system to run out of allotted storage. This behavior persists through reboots as the database is stored on disk and lsd is launched at startup.

Beyond this denial-of-service impact of the host, Tenable is unaware of any further impact this attack vector may allow. Since it appears that the database lsd uses is available from userspace and given the lack of size limitations, it may be possible for a dedicated attacker to abuse this functionality as a persistence mechanism for malware or other attacks, but would have to have some other attack vector in order to use this functionality.

Apple has disputed this as a security vulnerability as they believe it is a simple case of resource exhaustion. While Tenable researchers agree that this is a low-severity and non-serious issue, we believe that this issue poses security risk - even if minimal - and could be fixed simply by adding some sort of upper bounds to LSDatabase entries or other similar mitigation to prevent resource exhaustion.

Solution

There is no known solution or mitigation for this issue.

Disclosure Timeline

April 24, 2019 - Tenable discovers flaw.
May 2, 2019 - Tenable discloses to Apple.
May 2, 2019 - Apple sends automatic acknowledgement.
May 10, 2019 - Apple sends formal acknowledgement.
May 17, 2019 - Tenable requests status update.
May 22, 2019 - Apple requests proof of concept.
May 23, 2019 - Tenable requests clarification of above request.
May 23, 2019 - Apple provides clarification.
May 24, 2019 - Tenable responds to Apple that a new proof of concept will be submitted on Tuesday, May 28, 2019.
May 28, 2019 - Apple checks in on PoC.
May 29, 2019 - Tenable sends PoC.
May 31, 2019 - Apple acknowledges PoC.
June 18, 2019 - Tenable requests update.
June 19, 2019 - Apple rejects submission.
June 19, 2019 - Tenable requests permission to publish details ahead of 90 day schedule since no fix is planned.
July 1, 2019 - Apple requests publication details and clarification.
July 3, 2019 - Tenable provides clarification.
July 16, 2019 - Tenable requests status update.
July 30, 2019 - Tenable requests status update.
July 30, 2019 - Apple disputes report as having no security impact.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-38
Credit:
Jimi Sebree
CVSSv2 Base / Temporal Score:
4.9 / 4.0
CVSSv2 Vector:
AV:L/AC:L/Au:N/C:N/I:N/A:C
Affected Products:
macOS
Risk Factor:
Medium

Advisory Timeline

August 2, 2019 - Initial release.