|
|
OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator | |||||||||
| Project Member Reported by ianbeer@google.com, Oct 21 2014 | Back to list | |||||||||
I wrote a little program to run over every IOKit IOService userclient type from 1 to 100 and just call IOConnectMapMemory for all the memory type values from 1 to 1000. Calling IOConnectMapMemory on userclient type 2 of "IntelAccelerator" with memory type 3 hits an exploitable kernel NULL pointer dereference calling a virtual function on an object at 0x0. Attached PoC exploits this to get root. (The cleanup ROP uses a hardcoded offset for 10.9.5.)
Project Member
Comment 1
by
ianbeer@google.com,
Oct 21 2014
,
Oct 22 2014
Verified that the bug is still there in Yosemite, attached a PoC crasher for 10.10. The kASLR defeat in ig_2_3_exploit.c looks to have been patched in 10.10 however so that doesn't work.
,
Oct 22 2014
,
Jan 12 2015
,
Jan 20 2015
Deadline exceeded - automatically derestricting
,
Jan 26 2015
@ianbeer: just a reminder to add the Deadline-Exceeded label.
,
Feb 5 2015
Apple advisory: http://support.apple.com/en-us/HT204245 |
||||||||||
| ► Sign in to add a comment | ||||||||||
