krishnateja / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X kASLR defeat due to kernel pointers in IOKit registry #126

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
$ ioreg -lxf | grep 7fffffff
    | | | |   | |   "AAPL,iokit-ndrv" = <f07c3a8c7fffffff>
    | | | |   | | |   "AAPL,iokit-ndrv" = <f07c3a8c7fffffff>
    | | | |   | | |   "AAPL,iokit-ndrv" = <f07c3a8c7fffffff>
    | | | |   | | |   "AAPL,iokit-ndrv" = <f07c3a8c7fffffff>
    | | | |   | | |   "AAPL,iokit-ndrv" = <f07c3a8c7fffffff>
    | | | | |   "AAPL,iokit-ndrv" = <f07c3a8c7fffffff>

That's an IOKit vtable pointer. Read access to the IOKit registry isn't 
currently preventable by the OS X sandboxing mechanism so any process on OS X 
can read *all* the information in there.

PoC exploit attached which uses this kASLR defeat along with 
https://code.google.com/p/google-security-research/issues/detail?id=40 to get 
reliable kernel code execution.

Original issue reported on code.google.com by ianb...@google.com on 15 Oct 2014 at 12:20

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 15 Oct 2014 at 12:31

GoogleCodeExporter commented 9 years ago
I think this might have been fixed in Yosemite. Apple haven't replied to my bug 
report yet but I'l gonna ping them to see if this was silently fixed. If so 
I'll mark this bug as invalid and open it up (along with the exploit.)

Original comment by ianb...@google.com on 31 Oct 2014 at 2:26

GoogleCodeExporter commented 9 years ago
@ianbeer: I wonder what the right thing to do here is? Is Mavericks still 
supported? If so, I would expect this report to be subject to a 90-day deadline 
for Apple to fix this issue in their still-supported OS version.

Apple would then have 90 days to either:

- Patch Mavericks.
- Desupport Mavericks in support of Yosemite.

Original comment by cev...@google.com on 1 Nov 2014 at 8:04

GoogleCodeExporter commented 9 years ago
Apple confirmed that they did indeed fix this in 10.10.

Regarding supported versions of OS X, I don't think there is such a concept.

Mavericks did receive a security update when Yosemite was released but it only 
had patches for POODLE. It did not contain patches for any of the other 
externally reported bugs fixed in Yosemite, and clearly also didn't contain 
patches for the silently fixed bugs (such as this) either. I would argue that's 
equivalent to no longer supporting Mavericks. It's trivial to bindiff the 
patched drivers and find these bugs, therefore I'm marking this bug report as 
invalid and removing the view restriction.

Original comment by ianb...@google.com on 8 Nov 2014 at 8:05