search

sla-cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::patch_encoding_common #327

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
IGAccelVideoContextMain is the userclient used for GPU accelerated video 
encoding on the Intel HD integrated GPUs.
It's userclient 0x100 of the IntelAccelerator IOService. IOConnectMapMemory 
type=0 of this userclient is a shared token buffer.
The dword at offset 0x14 of token 0x83 is used to compute the offset
for a write without checking the bounds, allowing a controlled kernel memory 
write.

This PoC uses quicktime but the vuln is reachable from the Chrome GPU process 
sandbox and the safari sandbox.

Compile this dylib:
  $ clang -Wall -dynamiclib -o ig_video_main_patch_encoding_common.dylib ig_video_main_patch_encoding_common.c -framework IOKit -arch i386 -arch x86_64 
Load it into Quicktime:
  $ DYLD_INSERT_LIBRARIES=./ig_video_main_patch_encoding_common.dylib /Applications/QuickTime\ Player.app/Contents/MacOS/QuickTime\ Player
Start a screen recording:
  File -> New Movie Recording -> Click the red circle -> start the recording
This interpose library will look for the ColorSpaceConversion token in the 
shared memory and trigger the bug.

tested on: MacBookAir5,2 w/ 10.10.3/14d131

Original issue reported on code.google.com by ianb...@google.com on 10 Apr 2015 at 2:41

Attachments:

GoogleCodeExporter commented 9 years ago 
Clarification: the correct offset in the token is 0x820, not 0x14

Original comment by ianb...@google.com on 10 Apr 2015 at 2:44

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 10 Apr 2015 at 2:46

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 17 Apr 2015 at 1:25

GoogleCodeExporter commented 9 years ago 
https://support.apple.com/en-us/HT204942

Original comment by ianb...@google.com on 20 Jul 2015 at 11:19

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 31 Jul 2015 at 10:10