Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference.
28a95b498e79b6f046637fef1058c83fb6eef97a32bfe058d4b061c8cc843127The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCompass.
07c89757d7e1a727b6c919c8d09c684989b89529f2c1b57792b91afdea65dac4Wireshark suffers from a heap-based out-of-bounds read in Nettrace_3gpp_32_423_file_open.
30c5fd467a4934f18f3002d895ae08ab809c752d604ce260d4c2b9806572e0c2Kleefa version 1.7 suffers from cross site scripting and remote SQL injection vulnerabilities.
6afa623b152f53f185b3213c10ba71f75b86b70cc8b0e22cfe154198573032ecThe _ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code.
c4f8daf502963ad5eece0728838a97dbed83ae3ccd4fed0c0d0ea4932020c23dWireshark suffers from an out-of-bounds read in Hiqnet_display_data.
f49e05ff312ad06b95375d1199dbbab1e9bfcbb21e26eac3a2618a8ef490d826The iOS kernel suffers from a use-after-free vulnerability in AppleOscarAccelerometer.
f847b2c8805bf3af8196f69a53844b188d41d842f188dcb391ae8fdd35e8c3dbiOS / OS X kernels suffer from a use-after-free / double free vulnerability due to lack of locking in IOHDIXControllUserClient:clientClose.
adb1b7847f70f13cf0c6ea874eee96b6c0668190e0c8da0a1d59183341cb8770com.apple.audio.coreaudiod is reachable from various sandboxes including the Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless it has access to various other interesting attack surfaces which safari doesn't, allowing this bug to potentially form part of a full sandbox escape chain.
040c5bc4ee814b9abdf174150d4582e8d233b7e6ea6fe2992ae37f08d1dc46e2IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks the size of that structInput, and SimpleDispatchWL goes on to read the field at +0x70 of the structInput.
c56f8e5cc82da06ddca32f877f2fa338106ff32a8c69efe2c67b6ac5c6b5196aThe hv_space lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method (which calls lck_rw_free on the lock group using the pointer hanging off the global _hv variable) and secondly via the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) which also calls lck_rw_free with a lock group pointer taken from _hv.
05bbdc4f970de720232f0fe75333057f8dbe21b2c91a3d821e577be39c6aed9bThe external method 0x206 of IGAccelGLContext is gst_configure. This method takes an arbitrary sized input structure (passed in rsi) but doesn't check the size of that structure (passed in rcx).
e94e24fe8cba2913f917f0f60d22c0acf21be5b012b6f82c3594d9dd86932b95Pdfium suffers from a heap-based out-of-bounds read in Opj_jp2_apply_pclr (libopenjpeg).
97247ca7bd5dbf856539b4911c7436201d602271e02e9af4f663fa3fc5efda7aiOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.
8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157deThe iOS kernel suffers from a use-after-free vulnerability in IOReportHub.
372880071edb71ad2025e05e64439b5087b17a0a293d3814c5d4fbabdcbcdc0dWireshark suffers from a heap-based out-of-bounds read in Dissect_ber_constrained_bitstring.
629dc30b18484b20b8be6555ca4819e49f96bc1ce8b28537cc9772f20bfea7a8The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCMA.
4640878ce067410ae3596bf74bbbfd8ccf473388034000bd3f132d57616e2107The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.
9ba4909584ef4a22ac3f38fbff2047915ff0e5cb4a39226d02f5540d8bac2d54It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. You can in fact do this very simply by calling IOServiceClose on two threads. Like the spoofed notifications this leads to many bugs in many userclients, the exact nature of which depends on the semantics of the clientClose implementation.
25c87d331724c51d81b1658a116bd5e77ebeedb53b236aa9fe1efaac0e2a8831iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.
a90f8ff051275e3a2763ebcc399a8891e5415fd85649de1e7df1f7d097d14c5eiOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.
6ac15af258a146b8752ac818073462c4ae8b5c574c8d1f8ee6cb3d0d6bc85d9fWireshark suffers from a stack-based out-of-bounds read in Iseries_check_file_type.
d6928b50237f7c73c00ae88d01280c9cb05194d807b3a8048e954dfd065e219dWordPress Ultimate CSV Importer plugin version 3.8.6 suffers from a cross site scripting vulnerability.
4071fb697a7d5576f5de1863e60fe165edb9a8eb8735fa56cb438d04c37fe470The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.
1042bf509240fef0a9ac35c0d9ae68166b05f9869f97a04609c7cfaf25873502A bad patch for CVE-2015-3712 allows for code execution due to insufficient bounds checking in nvidia GeForce command buffer processing.
ee9c46d5821b8af0488acb255e77382b0306b6ba04c458cde11f5fab2f6efff2
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed