Apple Mac OSX - io_service_close Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=597 It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel...

Apple Mac OSX - 'gst_configure' Kernel Buffer Overflow

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=596 The external method 0x206 of IGAccelGLContext is gstconfigure. This method takes an arbitrary sized input structure passed in rsi but doesn't check the size of that structure passed in rcx. text:000000000002A366...

Apple Mac OSX / iOS Kernel - iokit Registry Iterator Manipulation Double-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=598 The userspace MIG wrapper IORegistryIteratorExitEntry invokes the following kernel function: kernreturnt isioregistryiteratorexitentry ioobjectt iterator bool didIt; CHECK IORegistryIterator, iterator, iter ; didIt ...

Apple Mac OSX - 'IOBluetoothHCIUserClient' Arbitrary Kernel Code Execution

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks t...

Apple Mac OSX - io_service_close Use-After-Free

Apple Mac OSX - ioserviceclose Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=597 It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. W...

Apple Mac OSX iOS - Multiple Kernel Uninitialized Variable Bugs Leading to Code Execution Vulnerabilities

Apple Mac OSX iOS - Multiple Kernel Uninitialized Variable Bugs Leading to Code Execution Vulnerabilities Source: https://code.google.com/p/google-security-research/issues/detail?id=618 The ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run th...

Apple Mac OSX / iOS - Multiple Kernel Uninitialized Variable Bugs Leading to Code Execution

Exploit for multiple platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=618 The ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of th...

Apple Mac OSX / iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit

Source: https://code.google.com/p/google-security-research/issues/detail?id=620 I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC which gets RIP on OS X. The same techniques should transfer smoothly to iOS : The bug is here: void...

Apple Mac OSX / iOS - Multiple Kernel Uninitialized Variable Bugs Leading to Code Execution Vulnerabilities

Source: https://code.google.com/p/google-security-research/issues/detail?id=618 The ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code; here is the relevan...

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Exploitable Kernel NULL Dereference

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=562 Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference. Tested on OS X 10.11 ElCapitan 15a284 on MacBookAir5,2 / /...

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient NULL Dereference

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=512 IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides no default implementation and only a handful of...

Apple TV < 9.1.1 Multiple Vulnerabilities

According to its banner, the remote Apple TV device is a version prior to 9.1.1. It is, therefore, affected by the following vulnerabilities : - A type confusion error exists in the bundled libxslt library due to improper handling of invalid values. An attacker can exploit this to crash the...

About the security content of tvOS 9.1.1

About the security content of tvOS 9.1.1 This document describes the security content of tvOS 9.1.1. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To...

Apple iOS IOKit Handling Arbitrary Code Execution Vulnerability

Apple iOS is Apple's operating system for several smart devices. A memory corruption vulnerability exists in Apple iOS IOKit handling, which allows local attackers to execute arbitrary code...

Mac OS X 10.11.x < 10.11.3 Multiple Vulnerabilities

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.3. It is, therefore, affected by multiple vulnerabilities in the following components : - AppleGraphicsPowerManagement - Disk Images - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - libxslt - OSA Scripts - syslo...

About the security content of iOS 9.2.1

About the security content of iOS 9.2.1 This document describes the security content of iOS 9.2.1. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To lear...

CVE-2015-7068

IOKit SCSI in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service NULL pointer dereference via an app that provides an unspecified userclient type...

Null pointer dereference

IOKit SCSI in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service NULL pointer dereference via an app that provides an unspecified userclient type...

CVE-2015-7068

CVE-2015-7068 concerns IOKit SCSI in Apple devices (iOS &lt;9.2, OS X &lt;10.11.2, tvOS &lt;9.1, watchOS

CVE-2015-7068

IOKit SCSI in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service NULL pointer dereference via an app that provides an unspecified userclient type...