New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Dec 2016
Cc:



Sign in to add a comment
MacOS/iOS arbitrary port replacement in syslogd
Project Member Reported by ianbeer@google.com, Oct 27 2016 Back to list
syslogd (running as root) hosts the com.apple.system.logger mach service. It's part of the system.sb
sandbox profile and so reachable from a lot of sandboxed contexts.

Here's a snippet from its mach message handling loop listening on the service port:

    ks = mach_msg(&(request->head), rbits, 0, rqs, global.listen_set, 0, MACH_PORT_NULL);
  ...
    if (request->head.msgh_id == MACH_NOTIFY_DEAD_NAME)
    {
      deadname = (mach_dead_name_notification_t *)request;
      dispatch_async(asl_server_queue, ^{
        cancel_session(deadname->not_port);
        /* dead name notification includes a dead name right */
        mach_port_deallocate(mach_task_self(), deadname->not_port);
        free(request);
      });

An attacker with a send-right to the service can spoof a MACH_NOTIFY_DEAD_NAME message and cause an
arbitrary port name to be passed to mach_port_deallocate as deadname->not_port doesn't name a port right
but is a mach_port_name_t which is just a controlled integer.

An attacker could cause syslogd to free a privilged port name and get it reused to name a port for which
the attacker holds a receive right.

Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
 
syslog_notify.c
2.8 KB View Download
Project Member Comment 1 by ianbeer@google.com, Oct 27 2016
Labels: Id-651274294 Reported-2016-Oct-27
Project Member Comment 2 by ianbeer@google.com, Dec 22 2016
Labels: -Restrict-View-Commit Fixed-2016-Dec-12 CVE-2016-7660
Status: Fixed
Fixed in MacOS 10.12.2: https://support.apple.com/en-us/HT207423
Fixed in iOS 10.2: https://support.apple.com/en-us/HT207422
Cc: koto@google.com security...@gmail.com
Owner: koto@google.com
Project Member Comment 5 by ianbeer@google.com, Jun 8
Owner: ianbeer@google.com
Sign in to add a comment