Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

macOS LaunchServices Denial of Service

Medium

Synopsis

Tenable has discovered a possible vulnerability in the LaunchServices framework – the 'lsd' service in particular. The vulnerability is a local denial-of-service. We have verified this vulnerability is present on the latest versions of macOS at the time of this submission. This service is used to determine various behaviors during the launch of a given file or application. For example, file extension association.

In short, it does not appear that there is any size limitation applied to entries for the LSDatabase structure. As this structure is stored on disk, loaded into memory, and updated automatically as applicable files/structures hit the disk (such as being download from the internet, copied, etc.), this could lead to resource exhaustion on the host as well as a crash of the lsd service.

As an example scenario to reproduce this behavior:

  • Create and build sample Cocoa application via XCode
    • The application does not need any implemented functionality. The purpose of this is to create an appropriate app structure
  • Build and locate the sample app
  • In Info.plist (<app name>.app/Contents/Info.plist), ensure that there is data that lsd makes use of. For this example, we'll use CFBundleURLSchemes. See the following for an example Info.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>BuildMachineOSBuild</key>
<string>18A391</string>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleExecutable</key>
<string>test_app</string>
<key>CFBundleIdentifier</key>
<string>com.jimi.test-app</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>test_app</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLName</key>
<string>com.foo.bar.dinobytes</string>
<key>CFBundleURLSchemes</key>
<array>
<data>
this_is_a_test_URL_scheme
</data>
</array>
</dict>
</array>
<key>CFBundleVersion</key>
<string>1</string>
<key>DTCompiler</key>
<string>com.apple.compilers.llvm.clang.1_0</string>
<key>DTPlatformBuild</key>
<string>10B61</string>
<key>DTPlatformVersion</key>
<string>GM</string>
<key>DTSDKBuild</key>
<string>18B71</string>
<key>DTSDKName</key>
<string>macosx10.14</string>
<key>DTXcode</key>
<string>1010</string>
<key>DTXcodeBuild</key>
<string>10B61</string>
<key>LSMinimumSystemVersion</key>
<string>10.14</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2019 James Sebree. All rights reserved.</string>
<key>NSMainStoryboardFile</key>
<string>Main</string>
<key>NSPrincipalClass</key>
<string>NSApplication</string>
</dict>
</plist>

  • Modify this file (the value of "this_is_a_test_URL_scheme" specifically in this scenario, though other fields also cause this issue) to be excessively large (in excess of a gig)
  • Copy and paste the entire app folder to trigger the issue. This can be triggered in many different ways, but for proof-of-concept purposes, a copy and paste will suffice.

As soon as the paste finishes, lsd will begin processing the app. It will copy the Info.plist into memory, store this excessively large value in memory, and subsequently store the values in the LSDatabase. Accessing this value, storing new values in memory, or just periodic checks within this service are enough to cause a segfault and crash the service, which causes launchd to spawn a new instance of lsd. This again loads the database into memory. Over time, this can exhaust system resources by using all available memory, and causing swap space to grow large enough to cause the system to run out of allotted storage. This behavior persists through reboots as the database is stored on disk and lsd is launched at startup.

Beyond this denial-of-service impact of the host, Tenable is unaware of any further impact this attack vector may allow. Since it appears that the database lsd uses is available from userspace and given the lack of size limitations, it may be possible for a dedicated attacker to abuse this functionality as a persistence mechanism for malware or other attacks, but would have to have some other attack vector in order to use this functionality.

Apple has disputed this as a security vulnerability as they believe it is a simple case of resource exhaustion. While Tenable researchers agree that this is a low-severity and non-serious issue, we believe that this issue poses security risk - even if minimal - and could be fixed simply by adding some sort of upper bounds to LSDatabase entries or other similar mitigation to prevent resource exhaustion.

Solution

There is no known solution or mitigation for this issue.

Disclosure Timeline

April 24, 2019 - Tenable discovers flaw.
May 2, 2019 - Tenable discloses to Apple.
May 2, 2019 - Apple sends automatic acknowledgement.
May 10, 2019 - Apple sends formal acknowledgement.
May 17, 2019 - Tenable requests status update.
May 22, 2019 - Apple requests proof of concept.
May 23, 2019 - Tenable requests clarification of above request.
May 23, 2019 - Apple provides clarification.
May 24, 2019 - Tenable responds to Apple that a new proof of concept will be submitted on Tuesday, May 28, 2019.
May 28, 2019 - Apple checks in on PoC.
May 29, 2019 - Tenable sends PoC.
May 31, 2019 - Apple acknowledges PoC.
June 18, 2019 - Tenable requests update.
June 19, 2019 - Apple rejects submission.
June 19, 2019 - Tenable requests permission to publish details ahead of 90 day schedule since no fix is planned.
July 1, 2019 - Apple requests publication details and clarification.
July 3, 2019 - Tenable provides clarification.
July 16, 2019 - Tenable requests status update.
July 30, 2019 - Tenable requests status update.
July 30, 2019 - Apple disputes report as having no security impact.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.