331 - OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_JPEGBLF - project-zero

Starred by 3 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Jul 2015
Cc:	project-...@google.com
CVE-2015-3698 Finder-ianbeer Deadline-90 Fixed-2015-Jun-30 Vendor-Apple Id-621650758 Product-IOKit CCProjectZeroMembers Reported-2015-Apr-16 Severity-High

OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_JPEGBLF

Project Member Reported by ianbeer@google.com, Apr 16 2015

Back to list

The function IGAccelVideoContextMain::process_token_JPEGBLF trusts the dword at offset 0x14 in the input token and uses it as the index for a kernel memory write.

This PoC looks for a MediaKernel token and moves a few things around to trigger the vuln in the JPEGBLF code.

tested on: MacBookAir5,2 w/ 10.10.3 (14D131)
build: clang -Wall -dynamiclib -o ig_JPEGBLF.dylib ig_JPEGBLF.c -framework IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./ig_JPEGBLF.dylib  /Applications/QuickTime\ Player.app/Contents/MacOS/QuickTime\ Player
go File -> New Movie Recording and press the red record button

Reachable from sandboxes which can talk to the GPU (eg chrome GPU process and safari renderer process.)

ig_JPEGBLF.c
7.9 KB Download

Project Member Comment 1 by ianbeer@google.com, Apr 16 2015

Labels: Reported-2015-Apr-16 Id-621650758

Project Member Comment 2 by ianbeer@google.com, Apr 17 2015

Owner: ianbeer@google.com

Project Member Comment 3 by ianbeer@google.com, Jul 20 2015

Labels: CVE-2015-3698 Fixed-2015-Jun-30
Status: Fixed

https://support.apple.com/en-us/HT204942

Project Member Comment 4 by ianbeer@google.com, Jul 31 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment