krishnateja / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator #135

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I wrote a little program to run over every IOKit IOService userclient type from 
1 to 100 and just call IOConnectMapMemory for all the memory type values from 1 
to 1000.

Calling IOConnectMapMemory on userclient type 2 of "IntelAccelerator" with 
memory type 3 hits an exploitable kernel NULL pointer dereference calling a 
virtual function on an object at 0x0.

Attached PoC exploits this to get root.

(The cleanup ROP uses a hardcoded offset for 10.9.5.)

Original issue reported on code.google.com by ianb...@google.com on 21 Oct 2014 at 11:15

Attachments:

GoogleCodeExporter commented 9 years ago
hummm, reading the Yosemite security bulletin this sounds a lot like 
CVE-2014-4373, upgrading to Yosemite now to check before I report this.

Original comment by ianb...@google.com on 21 Oct 2014 at 11:23

GoogleCodeExporter commented 9 years ago
Verified that the bug is still there in Yosemite, attached a PoC crasher for 
10.10.

The kASLR defeat in ig_2_3_exploit.c looks to have been patched in 10.10 
however so that doesn't work.

Original comment by ianb...@google.com on 22 Oct 2014 at 12:49

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 22 Oct 2014 at 12:54

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 12 Jan 2015 at 11:26

GoogleCodeExporter commented 9 years ago
Deadline exceeded - automatically derestricting

Original comment by ianb...@google.com on 20 Jan 2015 at 5:03

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
@ianbeer: just a reminder to add the Deadline-Exceeded label.

Original comment by cev...@google.com on 26 Jan 2015 at 7:13

GoogleCodeExporter commented 9 years ago
Apple advisory: http://support.apple.com/en-us/HT204245

Original comment by ianb...@google.com on 5 Feb 2015 at 12:02