New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2016
Cc:



Sign in to add a comment
OS X Kernel code execution due to lack of bounds checking in AppleUSBPipe::Abort
Project Member Reported by ianbeer@google.com, Feb 9 2016 Back to list
External Method 36 of IOUSBInterfaceUserClient is _AbortStreamPipe.

It takes two scalar inputs and uses the second one as an array index to read a pointer
to a C++ object without checking the bounds then calls a virtual method on it.

Furthermore there's no check that the array pointer is non-null; if it is then we can get a
controlled offset-from-zero read; since our controlled dword will be multiplied by 8 to
index the array this means we can easily get the kernel to dereference a controllable
userspace address.

In this case a value of 0xf0f0f0f0 leads to the kernel reading an IOKit object pointer from
0x787878780. This poc maps that page to demonstrate control of a kernel object pointer.

tested on MacBookAir5,2  w/10.11.3 (15D21)
 
usb_oob.c
3.1 KB Download
Project Member Comment 1 by ianbeer@google.com, Feb 9 2016
Labels: Reported-2016-Feb-09 Id-636013878
Project Member Comment 2 by ianbeer@google.com, Mar 21 2016
Labels: Fixed-2016-Mar-21 CVE-2016-1749
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT206167
Project Member Comment 3 by ianbeer@google.com, Mar 22 2016
Labels: -Restrict-View-Commit
Sign in to add a comment