macOS Kernel - Use-After-Free Due to Lack of Locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort

macOS Kernel - Use-After-Free Due to Lack of Locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort / AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. Here's the userclient's registerNotificationPort...

macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'

/ AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. Here's the userclient's registerNotificationPort method: text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPortipcport , unsigned int,...

CVE-2017-13782

An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a /dev/dtracehelper attack involving the dtracedifvariable and dtracegetarg functions...

CVE-2017-7067

An issue was discovered in certain Apple products. macOS before 10.12.6 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app...

How to use JavaScript array extensions integer overflow vulnerabilities in WebKit-a vulnerability warning-the black bar safety net

I will be in this article to tell you about the vulnerability, CVE-2017-2536/ZDI-17-358, which is a typical plastic overflow vulnerability, when the system is in the calculation of the allocated space size, the vulnerability will likely lead to a heap buffer overflow. We not only give you...

CVE-2017-2494

An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service memory corruption via a crafted app...

macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION,...

Apple macOS 10.12.1 iOS Kernel - host_self_trap Use-After-Free

Apple macOS 10.12.1 iOS Kernel - hostselftrap Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1034 The task struct has a lock itklockdata, taken via the itklock macros which is supposed to protect the task-itk ports. The hostselftrap mach trap accesses...

MacOS Kernel 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free Exploit

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=954 Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40954.zip Userspace MIG services often use machmsgserver or...

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 There are two ways for IOServices to define their IOUserClient classes: they can override IOService::newUserClient and allocate the correct type themselves or they can set the IOUserClientClass key in their registry entry. Th...

Vulnerabilities of iOS and Mac OS X operating systems, which allow a hacker to execute arbitrary code in a privileged context

The multiple vulnerabilities in the kernels of iOS and Mac OS X operating systems are caused by numerical overflows. Exploitation of these vulnerabilities allows a malicious actor to execute arbitrary code in a privileged context using a specially created application...