PS command causes implant on Darwin to spin the CPU at 100% indefinitely #1736
Description
Describe the bug
When SSH is enabled and has at least user logged in via SSH on Mac OS, the ps command and other commands that reply on ps (e.g. cursed chrome) will timeout while spinning the CPU at 100% indefinitely.
To Reproduce
Steps to reproduce the behavior:
- Enable SSH server on the Mac OS machine.
- Ensure there is at least one user logged into the machine via SSH.
- Run implant on this machine.
- Execute
pscommand from Sliver Console. - The RPC call will timeout due to an infinite loop in implant/sliver/ps/ps_darwin.go#L248 .
- Every time a
pscommand is issued under these circumstances, a goroutine is created on the implant stressing the CPU at 100%.
Screenshots
Desktop (please complete the following information):
- OS: Mac OS 14 Sonoma
- Reproduced on v1.5.42 and the master branch, assuming the issue exists in all versions based on the change log of ps_darwin.go.
Additional context
I further investigated this issue. It turns out the getArgvFromPid function is stuck at processes like sshd: admin@ttys002, which only appears when there are users logged into the system via SSH.
Here's buffer returned from sysctl system call. Notice the character between sshd: and admin@ttys002 is a space not NULL.
The loop that proceeds the system call expects to parse 3 arguments from the buffer which there are only 2 null-terminated strings in the buffer. The loop would continue looking for the next null-terminated string even though there is none left. It is worth noting that the buffer has a size of kern.argmax, which defaults to 1M on my machine.
To make the problem worse, at line 251, the loop continues even when error occurs while reading from the buffer, such as EOF.
This issue should be an easy fix. Will open a PR in a bit.