Apple iOS 11.2.5 watchOS 4.2.2 tvOS 11.2.5 - bluetoothd Memory Corruption

Apple iOS 11.2.5 watchOS 4.2.2 tvOS 11.2.5 - bluetoothd Memory Corruption // // main.m // bluetoothdPoC // // Created by Rani Idan. // Copyright © 2018 zLabs. All rights reserved. // import "AppDelegate.h" include extern kernreturnt bootstraplookupmachportt bs, const char servicename, machportt...

macOS/IOS: mach_msg doesn't copy memory in a certain case(CVE-2017-2456)

When sending ool memory via |machmsg| with |deallocate| flag or |MACHMSGVIRTUALCOPY| flag, |machmsg| performs moving the memory to the destination process instead of copying it. But it doesn't consider the memory entry object that could resurrect the moved memory. As a result, it could lead to a...

Apple macOS / IOS 10.12.2(16C67) - mach_msg Heap Overflow Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1083 When sending ool memory via |machmsg| with |deallocate| flag or |MACHMSGVIRTUALCOPY| flag, |machmsg| performs moving the memory to the destination process instead of copyin...

Apple macOSIOS 10.12.2 (16C67) - mach_msg Heap Overflow

Apple macOSIOS 10.12.2 16C67 - machmsg Heap Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1083 When sending ool memory via |machmsg| with |deallocate| flag or |MACHMSGVIRTUALCOPY| flag, |machmsg| performs moving the memory to the destination process instead of copyi...

Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1083 When sending ool memory via |machmsg| with |deallocate| flag or |MACHMSGVIRTUALCOPY| flag, |machmsg| performs moving the memory to the destination process instead of copying it. But it doesn't consider the memory entry objec...

Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / // ianbeer // clang -o iospoofig7...

Apple Mac OSX Kernel - no-more-senders Use-After-Free

Apple Mac OSX Kernel - no-more-senders Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / ...

Apple Mac OSX Kernel - no-more-senders Use-After-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / // ianbeer / Kernel UaF due to audit session port...