New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2017
Cc:



Sign in to add a comment
MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig
Project Member Reported by ianbeer@google.com, Jan 4 2017 Back to list
Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig

This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it
uses to index an array of pointers with no bounds checking:

This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer
on which a virtual method is called. With some heap grooming this could be used to get kernel code execution.

tested on MacOS Sierra 10.12.2 (16C67)
 
capri_exec.c
2.2 KB View Download
Project Member Comment 1 by ianbeer@google.com, Jan 4 2017
Labels: Reported-2017-Jan-04 Id-656293107
Project Member Comment 2 by ianbeer@google.com, Mar 31 2017
Labels: Fixed-2017-Mar-27 CVE-2017-2443
Status: Fixed
Fixed in MacOS 10.12.4: https://support.apple.com/en-us/HT207615
Project Member Comment 3 by ianbeer@google.com, Apr 3 2017
Labels: -Restrict-View-Commit
Sign in to add a comment