1071 - MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Mar 2017
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-MacOS Reported-2017-Jan-04 Id-656293107 Fixed-2017-Mar-27 CVE-2017-2443

MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig

Project Member Reported by ianbeer@google.com, Jan 4 2017

Back to list

Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig

This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it
uses to index an array of pointers with no bounds checking:

This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer
on which a virtual method is called. With some heap grooming this could be used to get kernel code execution.

tested on MacOS Sierra 10.12.2 (16C67)

capri_exec.c
2.2 KB View Download

Project Member Comment 1 by ianbeer@google.com, Jan 4 2017

Labels: Reported-2017-Jan-04 Id-656293107

Project Member Comment 2 by ianbeer@google.com, Mar 31 2017

Labels: Fixed-2017-Mar-27 CVE-2017-2443
Status: Fixed

Fixed in MacOS 10.12.4: https://support.apple.com/en-us/HT207615

Project Member Comment 3 by ianbeer@google.com, Apr 3 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment