19 matches found
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the MSTeams plugin OAuth flow. An attacker can modify arbitrary posts by sending a crafted OAuth redirect URL. Remediation Upgrade...
Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=777 Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled key. If that key isn't in the list of stashed objects then stashGet returns a NULL pointer. No...
Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NULL by racing two threads, one of which calls...
Apple Mac OSX - Kernel Use-After-Free Due to Bad Locking in IOAcceleratorFamily2
Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772 In IOAccelContext2::clientMemoryForType the lockbusy/unlockbusy should be extended to cover all the code setting up shared memory type 2. At the moment the lock doesn't protect...
Apple Mac OSX - Kernel Exploitable NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A series of dereferences from this pointer...
Apple Mac OSX Kernel - Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext
Apple Mac OSX Kernel - Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=784 The method nvCommandQueue::GetHandleIndex doesn't check whether this+0x5b8 is non-null before using it. We can race a call to...
Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783 The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway : We can race external methods which call this with another thread calling...
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::pageoffresource / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A seri...
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A series of dereferences from this pointer lead to trivial RIP control. We can race two...
Apple Mac OS X Zero Day Vulnerability SIP Bypass
System Integrity Protection SIP was implemented in OS X El Capitan and imposes limitations on what actions that Mac computers’ root accounts can take against protected paths of the operating system. Yesterday at the SysCan360 conference in Singapore, a researcher from SentinelOne disclosed detail...
Apple OS X code-signing subsystem information disclosure vulnerability
Apple OS X is a specialized operating system developed by Apple for Mac computers. An information disclosure vulnerability exists in the code-signing subsystem of Apple OS X versions prior to 10.11.4, which arises from a program's failure to properly verify file ownership. A local attacker could...
Mac OS X Zero-Day Exploit Can Bypass Apple's Latest Protection Feature
A critical zero-day vulnerability has been discovered in all versions of Apple's OS X operating system that allows hackers to exploit the company’s newest protection feature and steal sensitive data from affected devices. With the release of OS X El Capitan, Apple introduced a security protection...
CVE-2016-1745
IOFireWireFamily in Apple OS X before 10.11.4 allows local users to cause a denial of service NULL pointer dereference via unspecified vectors...
Memory corruption
AppleRAID in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a denial of service memory corruption via a crafted app...
CVE-2016-1747
IOGraphics in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a denial of service memory corruption via a crafted app, a different vulnerability than CVE-2016-1746...
CVE-2016-1747
CVE-2016-1747 affects Apple OS X prior to 10.11.4, via IOGraphics. A crafted app may cause memory corruption, allowing arbitrary code execution in a privileged kernel context or cause a denial of service. Root cause: memory corruption in IOGraphics. Documents indicate the issue is addressed in OS...
Apple OS X kernel memory corruption vulnerability
Apple OS X is a specialized operating system developed by Apple for Mac computers. kernel is one of the kernel components. A security vulnerability exists in the kernel of Apple OS X versions prior to 10.11.4. The vulnerability can be exploited by an attacker with a specially crafted application ...
Apple OS X Bluetooth Component Memory Corruption Vulnerability
Apple OS X is a specialized operating system developed by Apple for Mac computers.Bluetooth is one of the Bluetooth components. A security vulnerability exists in the Bluetooth component of Apple OS X versions prior to 10.11.4. The vulnerability can be exploited by an attacker with a specially...
Race you to the kernel!
Posted by Ian Beer of Google Project Zero The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an...