Apple MacOS NSUnarchiver Heap Corruption(CVE-2017-2523)

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to manipulate NSBuiltinSetTable. Neither path has any bounds checking and the...

Apple macOS - Local Privilege Escalation Vulnerability(CVE-2017-6978)

HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType; it reads a type field and uses that to index an array of function pointers for the support types: const:0000000000053ED0...

Apple iOS / macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharact

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to...

Apple macOS - Local Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObjec

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1219 HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType...

Apple macOSiOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device

Apple macOSiOS Kernel 10.12.3 16D32 - Double-Free Due to Bad Locking in fsevents Device / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64...

Apple macOSiOS Kernel 10.12.3 (16D32) - bpf Heap Overflow

Apple macOSiOS Kernel 10.12.3 16D32 - bpf Heap Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125 The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: case BIOCSBLEN: / uint / if d-bdbif != 0 error = EINVAL; else uint size; bcopyaddr, &size, sizeof...

Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception...

macOS / iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnetorderedhead linked list of interfaces. SIOCSIFORDER clears the existing list and allow...

macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION,...

macOS / iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code fr...

Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnetorderedhead linked list of interfaces. SIOCSIFORDER clears the existing list and allows userspace to specify an array of interface indexes...

Apple macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125 The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: case BIOCSBLEN: / uint / if d-bdbif != 0 error = EINVAL; else uint size; bcopyaddr, &size, sizeof size; if size bpfmaxbufsize size = bpfmaxbufsize; else ...

CVE-2017-2361

An issue was discovered in certain Apple products. macOS before 10.12.3 is affected. The issue involves the "Help Viewer" component, which allows XSS attacks via a crafted web site...

CVE-2017-2370

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or...