A XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings.
d28599b3adaf36ddb22cc63b493aedbe6d4bd9c80ab19441c0799cf163fd9d83XNU VM suffers from a copy-on-write bypass vulnerability due to incorrect shadow creation logic used during unaligned vm_map_copy operations.
5a1b882267ecf571c7ea7314e620f51e45be202a17fa7c8a02fcea5a7a5b3641XNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.
5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87dfXNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.
29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698launchd suffers from a heap corruption vulnerability due to incorrect rounding in launch_data_unpack.
5728e5ebf948c4d9fcd1bcdca177b71ce40167df17cbb2d5d1900427d642880fThe XNU kernel suffers from a use-after-free vulnerability in mach_msg.
2f6301f083bee339053850c19d2a821eb5bf15e94079651382aba5531646e6f1XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.
a1d06d7c40ef5cee75dbfed56b2263d072ffb407a0a5a9ac79847d59421ad896A radio proximity kernel memory corruption vulnerability exists in iOS and macOS due to bad state machine in BSS steering.
9e6c28acc2dc2cdb2acc5704dda5595cbbba3c80139500e4fad8a275eaa86716The XNU kernel suffers from a memory disclosure vulnerability in mach message trailers.
642f39fd92a5ac4ffb770427ffb354a2a9fadfb25d5b0622ea37837653fb0f84The XNU kernel suffers from a type confusion vulnerability in turnstiles.
d3d2bb641fe186858d248f07b853338f4be5d90e81441c7f7abebd7540ae579cThis Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.
8ca4b125e9aba514f4d2bd3c12b5189f4dceafcaab577262cc602a11c87480fbiOS and macOS suffered from a wifi proximity kernel double-free vulnerability in AWDL BSS Steering.
185ed329e279974bff794995bb28d911a3d0487fe537cf5e9f91c71beea77fb6A remote iOS / macOS heap corruption issue exists due to insufficient bounds checking in AWDL.
1e68cf9915d34a1e26c5b0144404e1b0fe8b04f018d7bdc8675b27fbd497f2c1The Samsung kernel suffers from a heap out-of-bounds write in /dev/tsmux.
cfdc74006e656bf14b792a3ef9b9b45e5579d2eed455326e014482691d8ebf38XPC fast path fails to ensure NULL termination of XPC strings, leading to memory disclosure and corruption vulnerabilities in XPC services.
177cb639e6a25a5904e8f4f9ae68c987f945f93207a3d09333a7ea42bc47e766launchd on macOS and iOS suffer from a memory corruption issue due to a lack of bounds checking when parsing XPC messages.
13c83122693a08ee0f24211a2e669324b5b58b62191c82afb69d83c51fdecf4aAn insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still is not atomic.
64852008642517c7a6286853a18dc6ef2a98bff2e171d9812bbe7c77a11b7b7diOS suffers from a sandbox escape vulnerability due to an integer overflow in mediaserverd.
2b4a9f24dc9fb9fa02db02c8a4e93a710241e3d12f49d9ae097344a6df912908This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
ac8550e0b0dd814a249c313353fcb65341e18bb2e59885151b0cffac8172e060iOS and MacOS suffer from a kernel heap overflow in PF_KEY due to lack of bounds checking when retrieving statistics.
bdaf091fad9a237fd95f4fa168b1b385cfb161f48fc179a6801b4e62a8099278XNU vm_map_copy optimization which requires atomicity is not atomic. This violates the semantics of mach message OOL memory, and leads to TOCTOU issues which can lead to memory corruption.
b373ad17106c25ccfb2435934691e9a515824d6d61c83d2a4930737e86b27e33iOS and MacOS suffers from sandbox escape vulnerabilities due to type confusions and memory safety issues in iohideventsystem.
b146623feeb4a1369ee8ad78d27a529480b21c17737e192ad3c2686b0448d8cblibxpc on MacOS version 10.14.1 suffers from an arbitrary mach port name deallocation in XPC services due to invalid mach message parsing in _xpc_serializer_unpack.
861787c4c8e28e6258f60f01561930d07585075db06c25a1f80b7aadb5eeb770The Apple Intel GPU driver suffers from use-after-free and double-delete issues due to bad locking.
4d6791432618061cb975059371e237f9a46d82d2bec01d12172ccd55d321b85diOS and macOS suffers from a sandbox escape due to trusted length field in shared memory used by the HID event subsystem.
9f92e17a4bc90ee3be401ed5757d7b0662a8fcc83025305c4d6a1dcfb6c4d537
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed