macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'

/ AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure input buffer which it uses to index a small array of pointers to memory to copy back to userspace. There is no bounds checking on the attacker supplied value allowing with so...

macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability

macOS 10.13 17A365 - Kernel Memory Disclosure due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability / AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure input buffer which it uses to index a smal...

Apple macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig

Apple macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1375 AppleIntelCapriController::GetLinkConfig trusts a user-supplied value in the structure input which it uses to ind...

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NULL by racing two threads, one of which calls...

Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource

Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::pageoffresource / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A seri...

Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / // ianbeer // clang -o iospoofig7...

Apple Mac OSX Kernel - no-more-senders Use-After-Free

Apple Mac OSX Kernel - no-more-senders Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / ...

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=562 Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference. Tested on OS X 10.11 ElCapitan 15a284 on MacBookAir5,2 / // ianbeer // clang -o scsiperipheral...

Apple Mac OSX - 'IntelAccelerator::gstqConfigure' Kernel NULL Dereference

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=595 The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gstconfigure...

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference / Source: https://code.google.com/p/google-security-research/issues/detail?id=562 Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference. Tested on OS X 10.1...

Another OS X to mention the right vulnerability-vulnerability warning-the black bar safety net

! /Article/UploadPic/2015-8/2015819144820242.jpg If you are using OS X Yosemite,have a look at this article,the malicious software takes advantage of a new way to control your Mac. In the Appleoperating systemhas been found a vulnerability,the vulnerability can be in the absence of the owner of t...

Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName Crash (PoC)

/ crash-issue2.c: Written for Mac OS X Yosemite 10.10 by @rpaleari and @joystick. Triggers a panic overwriting a stackcanary. gcc -Wall -o crash-issue2,.c -framework IOKit / include include include include include include struct BluetoothCall uint64t args7; uint64t sizes7; uint64t index; ; int...