XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.
9333b7751aa7686ac0ca4c62a49c3d4eA radio proximity kernel memory corruption vulnerability exists in iOS and macOS due to bad state machine in BSS steering.
5ff730e5556e80e223e58b23eca60fa1The XNU kernel suffers from a memory disclosure vulnerability in mach message trailers.
fd485ea94f3d1c1a1348a97feddde88bThe XNU kernel suffers from a type confusion vulnerability in turnstiles.
a0391836c332c430261f0d75f705ed5aiOS and macOS suffered from a wifi proximity kernel double-free vulnerability in AWDL BSS Steering.
cdd1c47241bd866a69b6c59cc0b23828A remote iOS / macOS heap corruption issue exists due to insufficient bounds checking in AWDL.
bf5b45700458564cfc6029e73e8906ecThe Samsung kernel suffers from a heap out-of-bounds write in /dev/tsmux.
00005339bd5f67a8a2ca1f91df549119XPC fast path fails to ensure NULL termination of XPC strings, leading to memory disclosure and corruption vulnerabilities in XPC services.
0f1657d7f62dc322829fee09424c0e5claunchd on macOS and iOS suffer from a memory corruption issue due to a lack of bounds checking when parsing XPC messages.
1214e0a3adca8432caea6990153f7571An insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still is not atomic.
f8e6dfd4187cd8bfbcbdada394e14738iOS suffers from a sandbox escape vulnerability due to an integer overflow in mediaserverd.
2596a26960f328e0ae84af2d60d2f0d1This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
394148cda471deeb3abbfdccf622fa46iOS and MacOS suffer from a kernel heap overflow in PF_KEY due to lack of bounds checking when retrieving statistics.
09930d55fbbd4be1e53ae5ebe0b2a4bfXNU vm_map_copy optimization which requires atomicity is not atomic. This violates the semantics of mach message OOL memory, and leads to TOCTOU issues which can lead to memory corruption.
de2284e251a10f0384f76a0857085c48iOS and MacOS suffers from sandbox escape vulnerabilities due to type confusions and memory safety issues in iohideventsystem.
182ae62c76265741d73f711225502a7flibxpc on MacOS version 10.14.1 suffers from an arbitrary mach port name deallocation in XPC services due to invalid mach message parsing in _xpc_serializer_unpack.
5aaf10f078ba260537df0d15456c6e15The Apple Intel GPU driver suffers from use-after-free and double-delete issues due to bad locking.
b351e27cbcb6569d7e176048b1d1639fiOS and macOS suffers from a sandbox escape due to trusted length field in shared memory used by the HID event subsystem.
d02085ca3eebe96590a6bfad12954bf6iOS suffers from a kernel stack memory disclosure due to failure to check copyin return value.
dabae5d2d2f7dfbc02093d00e56e96e6iOS and macOS suffer from a sandbox escape vulnerability due to failure to comply with MIG object lifetime semantics in the iohideventsystem_client subsystem.
b9de50e80a2ea80f7f9468bd16b597e3iOS and macOS suffer from sandbox escape vulnerabilities due to MIG failing to use correct out-of-line descriptor lengths when parsing reply messages.
4f22a8f810b85991d35e76ab7b9861b4iOS and macOS suffers from a kernel memory corruption vulnerability due to integer overflow in IOHIDResourceQueue::enqueueReport.
eaf771ae19474d20de705e51b77b51d3iOS and macOS suffers from a sandbox escape vulnerability due to mach message sent from shared memory.
212667e2b57588da87c0742e251ac563The iOS kernel suffers from a use-after-free vulnerability due to bad error handling in personas.
00aa8ae882f2b6020f3e4a12749da1eeThe macOS and iOS kernels suffer from a heap overflow due to a lack of lower size check in getvolattrlist.
8bc2ddee4be107c0fed7f5978e377f2c
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed