[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPQ_=KUUARB0CZ6TB=DsJVzUCUL0vHKcKpk+q6_rxUFd_u3OSw@mail.gmail.com>
Date: Tue, 18 Feb 2014 12:45:15 +0800
From: "En.wooyun.org" <help.en@...yun.org>
To: full-disclosure@...ts.grok.org.uk
Subject: [WooYun-2014-00049] Mac osx & ios Kernel Module
Uninitialization
*Abstract:*
Apple’s operating system IOReportHub has kernel module unitialization
vulnerabilities that cause kernel breakdown.
*Details:*
The problem appears at the third function that moderates “GetValues”.
__ZN18IOReportUserClient10_getValuesEy: //
IOReportUserClient::_getValues(unsigned long long) 0000000000001f7c 55 push
rbp ; XREF=0x17f7 0000000000001f7d 4889E5 mov rbp, rsp 0000000000001f80
4157 push r15 0000000000001f82 4156 push r14 0000000000001f84 4154 push r12
0000000000001f86 53 push rbx 0000000000001f87 4989F6 mov r14, rsi
0000000000001f8a 4989FC mov r12, rdi 0000000000001f8d 498BBC24F0000000 mov
rdi, qword [ds:r12+0xf0] 0000000000001f95 E800000000 call 0x1f9a
0000000000001f9a 498BBC2400010000 mov rdi, qword [ds:r12+0x100] ;
XREF=0x1f95 0000000000001fa2 488B07 mov rax, qword [ds:rdi] //rdi indicates
a “0” object
*Proofs of concept:*
*[image: 内嵌图片 1]*
*Form:*
http://en.wooyun.org/bugs/wooyun-2013-041
--
WooYun, an Open and Free Vulnerability Reporting Platform
For more information, please visit *http://en.wooyun.org/about.php
<http://en.wooyun.org/about.php?>*
Content of type "text/html" skipped
Download attachment "031600367c37d6440a34c5a9a139919fe3e69452.png" of type "image/png" (546495 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists