EUVD-2015-1280

Malware in sbrugna...

Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver

Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver / nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when on...

macOS #Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver Exploit

Exploit for macOS platform in category dos / poc / nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro...

Apple macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1377 IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor...

Apple macOS 10.12.1 iOS Kernel - IOService::matchPassive Use-After-Free

Apple macOS 10.12.1 iOS Kernel - IOService::matchPassive Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=973 IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService. We can call this function on a controlled...

Apple macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=973 IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService. We can call this function on a controlled IOService with a controlled matching table OSDictionary via the...

macOS 10.12.1 / iOS Kernel - IOService::matchPassive Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=973 IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService. We can call this function on a controlled IOService with a...

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 There are two ways for IOServices to define their IOUserClient classes: they can override IOService::newUserClient and allocate the...

Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NU...

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NULL by racing two threads, one of which calls...

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. ...

Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method which calls lckrwfree on the lock group...

Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free

Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the...

CVE-2015-1137

The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local users to gain privileges or cause a denial of service NULL pointer dereference via an unspecified IOService userclient type...

CVE-2015-1137

The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local users to gain privileges or cause a denial of service NULL pointer dereference via an unspecified IOService userclient type...

Null pointer dereference

IOAcceleratorFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly handle resource lists and IOService userclient types, which allows attackers to execute arbitrary code or cause a denial of service NULL pointer dereference via a crafted app...