New issue
Advanced search Search tips
Starred by 2 users
Status: Duplicate
Merged: issue 830
Owner:
Closed: Aug 2016
Cc:



Sign in to add a comment
OS X kernel use-after-free in CoreStorage
Project Member Reported by ianbeer@google.com, May 26 2016 Back to list
CoreStorageUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xE0 without taking a reference.

By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer.

Interestingly CoreStorageUserClient will then use this dangling pointer to perform privilege checks using IOUserClient::clientHasPrivilege
so if we could get that free'd task struct reallocated by a root owned process (which would be pretty easy) then we could trick these checks into
believing that we were root. Presumably they do interesting stuff which should be limited to root only like messing with volume information.

You could also leverage this bug for kernel memory corruption.

build: clang -o corestorage_task_uaf  corestorage_task_uaf.c -framework IOKit

You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!

tested on OS X 10.11.5 (15F34) on MacBookAir5,2
 
corestorage_task_uaf.c
10.9 KB View Download
Project Member Comment 1 by ianbeer@google.com, May 26 2016
Labels: Id-641586441
Project Member Comment 2 by ianbeer@google.com, Aug 29 2016
Labels: -Severity-High Severity-HIgh
Mergedinto: 830
Status: Duplicate
Considered a duplicate of CVE-2016-1863
Project Member Comment 3 by ianbeer@google.com, Oct 25 2016
Labels: -Restrict-View-Commit
Sign in to add a comment