syslogd (running as root) hosts the com.apple.system.logger mach service. It's part of the system.sb
sandbox profile and so reachable from a lot of sandboxed contexts.
Here's a snippet from its mach message handling loop listening on the service port:
ks = mach_msg(&(request->head), rbits, 0, rqs, global.listen_set, 0, MACH_PORT_NULL);
...
if (request->head.msgh_id == MACH_NOTIFY_DEAD_NAME)
{
deadname = (mach_dead_name_notification_t *)request;
dispatch_async(asl_server_queue, ^{
cancel_session(deadname->not_port);
/* dead name notification includes a dead name right */
mach_port_deallocate(mach_task_self(), deadname->not_port);
free(request);
});
An attacker with a send-right to the service can spoof a MACH_NOTIFY_DEAD_NAME message and cause an
arbitrary port name to be passed to mach_port_deallocate as deadname->not_port doesn't name a port right
but is a mach_port_name_t which is just a controlled integer.
An attacker could cause syslogd to free a privilged port name and get it reused to name a port for which
the attacker holds a receive right.
Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
