OS X suffers from a privilege escalation vulnerability due to XPC type confusion in sysmond.
84ce6959cd03e4fc99b8bddfeb6aeb14ae2f9faa1682d524c3ff80126ea1fdfeThe iOS kernel suffers from a use-after-free vulnerability in IOHIDEventService.
0993c62c9d7d3b84cf8014c889265e8630d8eb77eb33686a24adc235d64af0f7Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference.
28a95b498e79b6f046637fef1058c83fb6eef97a32bfe058d4b061c8cc843127The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCompass.
07c89757d7e1a727b6c919c8d09c684989b89529f2c1b57792b91afdea65dac4The _ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code.
c4f8daf502963ad5eece0728838a97dbed83ae3ccd4fed0c0d0ea4932020c23dThe iOS kernel suffers from a use-after-free vulnerability in AppleOscarAccelerometer.
f847b2c8805bf3af8196f69a53844b188d41d842f188dcb391ae8fdd35e8c3dbiOS / OS X kernels suffer from a use-after-free / double free vulnerability due to lack of locking in IOHDIXControllUserClient:clientClose.
adb1b7847f70f13cf0c6ea874eee96b6c0668190e0c8da0a1d59183341cb8770IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks the size of that structInput, and SimpleDispatchWL goes on to read the field at +0x70 of the structInput.
c56f8e5cc82da06ddca32f877f2fa338106ff32a8c69efe2c67b6ac5c6b5196aThe hv_space lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method (which calls lck_rw_free on the lock group using the pointer hanging off the global _hv variable) and secondly via the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) which also calls lck_rw_free with a lock group pointer taken from _hv.
05bbdc4f970de720232f0fe75333057f8dbe21b2c91a3d821e577be39c6aed9bThe external method 0x206 of IGAccelGLContext is gst_configure. This method takes an arbitrary sized input structure (passed in rsi) but doesn't check the size of that structure (passed in rcx).
e94e24fe8cba2913f917f0f60d22c0acf21be5b012b6f82c3594d9dd86932b95iOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.
8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157deThe iOS kernel suffers from a use-after-free vulnerability in IOReportHub.
372880071edb71ad2025e05e64439b5087b17a0a293d3814c5d4fbabdcbcdc0dThe iOS kernel suffers from a use-after-free vulnerability in AppleOscarCMA.
4640878ce067410ae3596bf74bbbfd8ccf473388034000bd3f132d57616e2107The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.
9ba4909584ef4a22ac3f38fbff2047915ff0e5cb4a39226d02f5540d8bac2d54It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. You can in fact do this very simply by calling IOServiceClose on two threads. Like the spoofed notifications this leads to many bugs in many userclients, the exact nature of which depends on the semantics of the clientClose implementation.
25c87d331724c51d81b1658a116bd5e77ebeedb53b236aa9fe1efaac0e2a8831iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.
a90f8ff051275e3a2763ebcc399a8891e5415fd85649de1e7df1f7d097d14c5eiOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.
6ac15af258a146b8752ac818073462c4ae8b5c574c8d1f8ee6cb3d0d6bc85d9fThe mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.
1042bf509240fef0a9ac35c0d9ae68166b05f9869f97a04609c7cfaf25873502A bad patch for CVE-2015-3712 allows for code execution due to insufficient bounds checking in nvidia GeForce command buffer processing.
ee9c46d5821b8af0488acb255e77382b0306b6ba04c458cde11f5fab2f6efff2IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides no default implementation and only a handful of userclients actually implement it, and it's pretty much up to them to define the semantics of what "informing the connection of a second connection" actually means. One of the userclients which implements connectClient is IOAccelContext2 which is the parent of the IGAccelContext userclient family (which are the intel GPU accelerator userclients.) IOUserClient::connectClient is exposed to userspace as IOConnectAddClient.
e6b28ef3cbbacff31eb961ab63d921cbf6e4a18a44fb51c2925eaa646004d804The iOS kernel suffers from a use-after-free vulnerability in AppleOscarGyro.
4e06593eee3ee14b6e919071b2131a9da0f8320a680e792d7ad5ff9d7dbc3557Method 5 of the IOHDIXController user client is createDrive64. This takes a 0x10 0 byte structure input from which it reads a userspace pointer and a size which it passes to IOHDIXController::convertClientBuffer. This wraps the memory pointed to by the userspace pointer in an IOMemoryDescriptor then takes the user-provided size, casts it to a 32-bit type and adds one. It passes that value to IOMalloc. By passing a size of 0xffffffff we can cause an integer overflow and IOMalloc will be passed a size of 0. IOMalloc falls through to kalloc which will quite happily make a 0-sized allocation for us and return a valid, writable kernel heap pointer.
7c1b4d44f576a45333e8a5f38a438bc7780560237ca558e684660c3e2a87a9cbnetworkd is the system daemon which implements the com.apple.networkd XPC service. It's unsandboxed but runs as its own user. com.apple.networkd is reachable from many sandboxes including the Safari WebProcess and ntpd (plus all those which allow system-network). networkd parses quite complicated XPC messages and there are many cases where xpc_dictionary_get_value and xpc_array_get_value are used without subsequent checking of the type of the returned value.
8f3b0d4e8a89ad64284b0b7f58567f82fed3eee85dac017382e0f65c2b11a7e5The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflows a static global buffer.
faf34e337128765e7e7cd244e5054952422e46472fdd20baad4de151245624d7OS X Regex Engine (TRE) suffers from integer signedness and overflow issues.
c4c0f4887f90a7b044ece2c30e99c3551cdccd98d07ef1bb542fc7bca4fc060e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed