Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference.
28a95b498e79b6f046637fef1058c83fb6eef97a32bfe058d4b061c8cc843127
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCompass.
07c89757d7e1a727b6c919c8d09c684989b89529f2c1b57792b91afdea65dac4
Wireshark suffers from a heap-based out-of-bounds read in Nettrace_3gpp_32_423_file_open.
30c5fd467a4934f18f3002d895ae08ab809c752d604ce260d4c2b9806572e0c2
Kleefa version 1.7 suffers from cross site scripting and remote SQL injection vulnerabilities.
6afa623b152f53f185b3213c10ba71f75b86b70cc8b0e22cfe154198573032ec
The _ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code.
c4f8daf502963ad5eece0728838a97dbed83ae3ccd4fed0c0d0ea4932020c23d
Wireshark suffers from an out-of-bounds read in Hiqnet_display_data.
f49e05ff312ad06b95375d1199dbbab1e9bfcbb21e26eac3a2618a8ef490d826
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarAccelerometer.
f847b2c8805bf3af8196f69a53844b188d41d842f188dcb391ae8fdd35e8c3db
iOS / OS X kernels suffer from a use-after-free / double free vulnerability due to lack of locking in IOHDIXControllUserClient:clientClose.
adb1b7847f70f13cf0c6ea874eee96b6c0668190e0c8da0a1d59183341cb8770
com.apple.audio.coreaudiod is reachable from various sandboxes including the Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless it has access to various other interesting attack surfaces which safari doesn't, allowing this bug to potentially form part of a full sandbox escape chain.
040c5bc4ee814b9abdf174150d4582e8d233b7e6ea6fe2992ae37f08d1dc46e2
IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks the size of that structInput, and SimpleDispatchWL goes on to read the field at +0x70 of the structInput.
c56f8e5cc82da06ddca32f877f2fa338106ff32a8c69efe2c67b6ac5c6b5196a
The hv_space lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method (which calls lck_rw_free on the lock group using the pointer hanging off the global _hv variable) and secondly via the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) which also calls lck_rw_free with a lock group pointer taken from _hv.
05bbdc4f970de720232f0fe75333057f8dbe21b2c91a3d821e577be39c6aed9b
The external method 0x206 of IGAccelGLContext is gst_configure. This method takes an arbitrary sized input structure (passed in rsi) but doesn't check the size of that structure (passed in rcx).
e94e24fe8cba2913f917f0f60d22c0acf21be5b012b6f82c3594d9dd86932b95
Pdfium suffers from a heap-based out-of-bounds read in Opj_jp2_apply_pclr (libopenjpeg).
97247ca7bd5dbf856539b4911c7436201d602271e02e9af4f663fa3fc5efda7a
iOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.
8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157de
The iOS kernel suffers from a use-after-free vulnerability in IOReportHub.
372880071edb71ad2025e05e64439b5087b17a0a293d3814c5d4fbabdcbcdc0d
Wireshark suffers from a heap-based out-of-bounds read in Dissect_ber_constrained_bitstring.
629dc30b18484b20b8be6555ca4819e49f96bc1ce8b28537cc9772f20bfea7a8
The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCMA.
4640878ce067410ae3596bf74bbbfd8ccf473388034000bd3f132d57616e2107
The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.
9ba4909584ef4a22ac3f38fbff2047915ff0e5cb4a39226d02f5540d8bac2d54
It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. You can in fact do this very simply by calling IOServiceClose on two threads. Like the spoofed notifications this leads to many bugs in many userclients, the exact nature of which depends on the semantics of the clientClose implementation.
25c87d331724c51d81b1658a116bd5e77ebeedb53b236aa9fe1efaac0e2a8831
iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.
a90f8ff051275e3a2763ebcc399a8891e5415fd85649de1e7df1f7d097d14c5e
iOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.
6ac15af258a146b8752ac818073462c4ae8b5c574c8d1f8ee6cb3d0d6bc85d9f
Wireshark suffers from a stack-based out-of-bounds read in Iseries_check_file_type.
d6928b50237f7c73c00ae88d01280c9cb05194d807b3a8048e954dfd065e219d
WordPress Ultimate CSV Importer plugin version 3.8.6 suffers from a cross site scripting vulnerability.
4071fb697a7d5576f5de1863e60fe165edb9a8eb8735fa56cb438d04c37fe470
The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.
1042bf509240fef0a9ac35c0d9ae68166b05f9869f97a04609c7cfaf25873502
A bad patch for CVE-2015-3712 allows for code execution due to insufficient bounds checking in nvidia GeForce command buffer processing.
ee9c46d5821b8af0488acb255e77382b0306b6ba04c458cde11f5fab2f6efff2