October’s macOS security update contained a fix for a vulnerability that Trend Micro privately disclosed to Apple earlier this year. The vulnerability (designated as CVE-2017-13811), was in the fsck_msdos system tool. This tool checks for and fixes errors in devices formatted with the FAT filesystem, and is automatically invoked by macOS when a device using FAT (such as a USB disk or an SD card) is inserted.
The vulnerability allows arbitrary code to be executed with system-level privileges, which potentially lets a malicious device (such as the mentioned flash disks or SD cards) take over the entire system when the said device is inserted into the vulnerable system. We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle.
Figure 1. Error message when a malicious USB device is inserted (Click to enlarge)
The bug lies in the following code, which we’ve taken from Android’s source code repository:
for (k = 7; k >= 0 && dirent.name[k] == ‘ ‘; k–)
dirent.name[k] = ‘\0’;
The variable k has a value of -1.
if (dirent.name[k] != ‘\0’)
Here dirent.name[-1] is the last byte of the pointer called child as a member of the structure dosDirEntry. In little endian systems, this byte contains the high bits of a memory address, which is often equal to ‘\0’. In such a situation, the variable k will not be subject to the “++” operation, and its value remains -1.
if (p != ‘ ‘)
dirent.name[k++] = ‘.’;
for (j = 0; j < 3; j++)
dirent.name[k++] = p[j+8];
The high byte of the child pointer can be written with an arbitrary value and modified to point to another address. If the target address is sprayed with a malformed dosDirEntry structure, arbitrary code execution is now possible. This can potentially allow an attacker to take over the vulnerable device.
The same tool is used in other BSD-based operating systems, as well as Android. While we disclosed this vulnerability to other vendors, we have not received a reply as of this time. Google has marked this bug as one they will not fix in Android, as “fsck_msdos runs under a very restricted SELinux domain.” They are currently investigating how to address this issue in a future version of the operating system. IT administrators may want to consider restricting USB access to devices, as this method is frequently used to allow malware to enter systems. Physical controls may be considered for especially sensitive devices.