8 matches found
📄 macOS Sierra 10.12 Build 16A323 Double-Free / Privilege Escalation
macOS Sierra version 10.12 Build 16.A323 local privilege escalation proof of concept exploit. A flaw in the MIG ownership model within the ioserviceaddnotificationool routine of IOKit allows a malicious user to leak Mach port send-right references. By repeatedly invoking notifications with...
macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rul
Exploit for macOS platform in category dos / poc Here's a kextd method exposed via MIG com.apple.KernelExtensionServer kernreturnt kextmanagerunlockkextload machportt server, machportt client kernreturnt migresult = KERNFAILURE; if gClientUID != 0 OSKextLog/ kext / NULL, kOSKextLogErrorLevel |...
macOS / iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules
Exploit for multiple platform in category dos / poc / ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes. Most processes can talk to ReportCrash via their exception ports either task or host level. You would normally never send a message yourself to...
Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules
Here's a kextd method exposed via MIG com.apple.KernelExtensionServer kernreturnt kextmanagerunlockkextload machportt server, machportt client kernreturnt migresult = KERNFAILURE; if gClientUID != 0 OSKextLog/ kext / NULL, kOSKextLogErrorLevel | kOSKextLogIPCFlag, "Non-root kextutil doesn't need ...
Apple macOS/iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules
/ ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes. Most processes can talk to ReportCrash via their exception ports either task or host level. You would normally never send a message yourself to ReportCrash but the kernel would do it on your behalf whe...
iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules(CVE-2017-13861)
I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 https://bugs.chromium.org/p/project-zero/issues/detail?id=926 and CVE-2016-7633 https://bugs.chromium.org/p/project-zero/issues/detail?id=954 If a MIG method returns KERNSUCCESS it means that th...
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 https://bugs.chromium.org/p/project-zero/issues/detail?id=926 and CVE-2016-7633 https://bugs.chromium.org/p/project-zero/issues/detail?id=954 If a MIG method returns KERNSUCCESS it means that th...
Apple macOSiOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
Apple macOSiOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 https://bugs.chromium.org/p/project-zero/issues/detail?id=926 and CVE-2016-7633...