777 - OS X exploitable kernel NULL dereference in CoreCaptureResponder due to unchecked return value - project-zero

Starred by 3 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	May 2016
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Product-OSX Vendor-Apple CCProjectZeroMembers Severity-High Reported-2016-Mar-23 Id-638203556 Fixed-2016-May-16 CVE-2016-1803

OS X exploitable kernel NULL dereference in CoreCaptureResponder due to unchecked return value

Project Member Reported by ianbeer@google.com, Mar 23 2016

Back to list

Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled key.

If that key isn't in the list of stashed objects then stashGet returns a NULL pointer. No callers actually check
the return value though which leads immediately to a call to a virtual method on a NULL pointer. By mapping the NULL
page we can get trivial RIP control.

Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2

CoreCaptureNull.c
3.4 KB View Download

Project Member Comment 1 by ianbeer@google.com, Mar 23 2016

Labels: Id-638203556 Reported-2016-Mar-23

Project Member Comment 2 by ianbeer@google.com, May 18 2016

Labels: Fixed-2016-May-16 CVE-2016-1803
Status: Fixed

Apple advisory: https://support.apple.com/en-us/HT206567

Project Member Comment 3 by ianbeer@google.com, Jun 9 2016

Labels: -Restrict-View-Commit

Comment 4 by songbo.d...@gmail.com, Jul 14 2016

I've go through the code, and trying to do some experiment on OS X 10.11.
But I got "invalid address" when trying to allocate memory on address 0. How can we mapping the NULL page? May I need some other exploitation?

Comment 5 by songbo.d...@gmail.com, Jul 15 2016

Just got it, i need to complie a 32bit binary:)

► Sign in to add a comment