333 - OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA and patch_vphal_ssh_instance - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Jul 2015
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Id-621656313 Fixed-2015-Jun-30 Vendor-Apple CVE-2015-3700 Product-IOKit CCProjectZeroMembers Reported-2015-Apr-16 Severity-High

OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_AllPostProcGVA and patch_vphal_ssh_instance

Project Member Reported by ianbeer@google.com, Apr 17 2015

Back to list

The function IGAccelVideoContextMain::process_token_AllPostProcGVA trusts the dword at offset 0x14 in the input token and
adds it to a valid pointer which is then passed to ::patch_vphal_ssh_instance. This PoC should crash reading the dword at r14,
but notice that there is possibility for memory corruption here as at the end of the loop the byte at r14 is AND'd with 0xfa allowing you to clear two bits.

This PoC looks for a MediaKernel token and moves a few things around to trigger the vuln.

tested on: MacBookAir5,2 w/ 10.10.3 (14D131)
build: clang -Wall -dynamiclib -o ig_vphal_ssh.dylib ig_vphal_ssh.c -framework IOKit -arch i386 -arch x86_64
run: DYLD_INSERT_LIBRARIES=./ig_vphal_ssh.dylib  /Applications/QuickTime\ Player.app/Contents/MacOS/QuickTime\ Player
go File -> New Movie Recording and press the red record button

Reachable from sandboxes which can talk the the GPU.

ig_vphal_ssh.c
8.3 KB Download

Project Member Comment 1 by ianbeer@google.com, Apr 17 2015

Owner: ianbeer@google.com

Project Member Comment 2 by ianbeer@google.com, Jul 20 2015

Labels: CVE-2015-3700 Fixed-2015-Jun-30
Status: Fixed

https://support.apple.com/en-us/HT204942

Project Member Comment 3 by ianbeer@google.com, Jul 31 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment