Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / // ianbeer // clang -o iospoofig7...

Apple Mac OSX Kernel - no-more-senders Use-After-Free

Apple Mac OSX Kernel - no-more-senders Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / ...

Apple Mac OSX - Kernel IOAccelDisplayPipeUserClient2 Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash in various ways; hav...

Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free

Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash i...

Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free

Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan...

Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method which calls lckrwfree on the lock group...

Apple Mac OSX - 'gst_configure' Kernel Buffer Overflow

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=596 The external method 0x206 of IGAccelGLContext is gstconfigure. This method takes an arbitrary sized input structure passed in rsi but doesn't check the size of that structure passed in rcx. text:000000000002A366...

Apple Mac OSX - 'IOBluetoothHCIUserClient' Arbitrary Kernel Code Execution

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks t...

Apple Mac OSX - Kernel no-more-senders Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / //...

Apple Mac OSX - 'IntelAccelerator::gstqConfigure' Kernel NULL Dereference

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=595 The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gstconfigure...

Apple Mac OSX - IntelAccelerator::gstqConfigure Exploitable Kernel NULL Dereference

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=595 The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NUL...

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=562 Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference. Tested on OS X 10.11 ElCapitan 15a284 on MacBookAir5,2 / // ianbeer // clang -o scsiperipheral...

Apple Mac OSX Kernel - no-more-senders Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / // ianbeer / Kernel UaF due to audit session port...

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Exploitable Kernel NULL Dereference

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=562 Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference. Tested on OS X 10.11 ElCapitan 15a284 on MacBookAir5,2 / /...

Apple Mac OSX - Kernel IOAccelMemoryInfoUserClient Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan 10.11 15a284 on...

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference / Source: https://code.google.com/p/google-security-research/issues/detail?id=562 Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference. Tested on OS X 10.1...

Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash in various ways; have observed NULL derefs and NX traps. Tested on...

Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free

Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the...