OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator

codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research

0 stars 0 forks source link

OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator #135

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

I wrote a little program to run over every IOKit IOService userclient type from 
1 to 100 and just call IOConnectMapMemory for all the memory type values from 1 
to 1000.

Calling IOConnectMapMemory on userclient type 2 of "IntelAccelerator" with 
memory type 3 hits an exploitable kernel NULL pointer dereference calling a 
virtual function on an object at 0x0.

Attached PoC exploits this to get root.

(The cleanup ROP uses a hardcoded offset for 10.9.5.)

Original issue reported on code.google.com by ianb...@google.com on 21 Oct 2014 at 11:15

Attachments:

ig_2_3_exploit.c

GoogleCodeExporter commented 9 years ago

hummm, reading the Yosemite security bulletin this sounds a lot like 
CVE-2014-4373, upgrading to Yosemite now to check before I report this.

Original comment by ianb...@google.com on 21 Oct 2014 at 11:23

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Verified that the bug is still there in Yosemite, attached a PoC crasher for 
10.10.

The kASLR defeat in ig_2_3_exploit.c looks to have been patched in 10.10 
however so that doesn't work.

Original comment by ianb...@google.com on 22 Oct 2014 at 12:49

Added labels: ****
Removed labels: ****

Attachments:

ignull_2_3.c

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 Oct 2014 at 12:54

Added labels: Id-612956440, Reported-2014-Oct-21
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 12 Jan 2015 at 11:26

Added labels: Vendor-Apple
Removed labels: Vendor-OSX

GoogleCodeExporter commented 9 years ago

Deadline exceeded - automatically derestricting

Original comment by ianb...@google.com on 20 Jan 2015 at 5:03

Added labels: ****
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

@ianbeer: just a reminder to add the Deadline-Exceeded label.

Original comment by cev...@google.com on 26 Jan 2015 at 7:13

Added labels: Deadline-Exceeded
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Apple advisory: http://support.apple.com/en-us/HT204245

Original comment by ianb...@google.com on 5 Feb 2015 at 12:02

Changed state: Fixed
Added labels: CVE-2014-4486, Fixed-2015-Jan-27
Removed labels: ****