lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1426728864629.3549a4e3@Nodemailer>
Date: Wed, 18 Mar 2015 18:34:24 -0700 (PDT)
From: "Luca Todesco" <info@...rtyoruiop.com>
To: fulldisclosure@...lists.org
Subject: [FD] Mac OS X 10.10.2 Default KEXT heap overflow LPE

Hello,

I have recently found an exploitable heap overflow in a core OS X driver.
Particularly, the injectString function is vulnerable to an heap overflow and can be triggered without privileges of any kind.


The vulnerable function can be seen at http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp


I wrote a weaponized poc at http://github.com/kpwn/vpwn.


The KASLR leak included is not reliable across macs. It works only on Macs with AMD (no FirePro) GPUs. (Tested on a last gen 5K Retina iMac). 
It was the only one I'd sacrifice for a public PoC because of that constraint.
It's disabled by default too, but it's trivial to enable it by editing lsym_priv.h.


It does not completely clean up it's own mess, so running ioreg after running the PoC will likely crash your box. 


The particular IOKit service has been involved in a CVE in October. It had functions that could literally not be used without crashing the kernel. 
There still are other unsafe functions in that very same file. Apple has disabled the service in particular on the latest 10.10.3 beta possible due to those other bugs. I do not believe they are aware of this issue in particular. But this is pure speculation, and it doesn't matter in the end, since the vulnerability cannot be triggered anymore.


Let me know what you think and sorry for the wall of text,
Luca Todesco.
-qwertyoruiop

—
Inviato da Mailbox

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ