Lucene search
RootSSV:92885HistoryApr 04, 2017 - 12:00 a.m.
MacOS kernel memory corruption due to off-by-one in audit_sdev_open (CVE-2017-2483)
2017-04-0400:00:00
Root
www.seebug.org
13
0.003 Low
EPSS
Percentile
67.4%
The auditsession device has a copy-pasted version of the same bug as the auditpipe device: `` static int audit_sdev_open(dev_t dev, **unused int flags,**unused int devtype, proc_t p) { struct audit_sdev *asdev; struct auditinfo_addr aia; int u;
u = minor(dev);
if (u < 0 || u > MAX_AUDIT_SDEVS)
return (ENXIO);
(void) audit_sdev_get_aia(p, &aia);
AUDIT_SDEV_LIST_WLOCK();
asdev = audit_sdev_dtab[u];
``
Again, that bounds check on the minor number should be >= MAX_AUDIT_SDEVS.
In the auditsession case we again end up with that oob pointer being confused with a counter, in this case audit_sdev_drops allowing us to arbitrarily increment a struct audit_sdev pointer.
This is a root -> kernel privesc as you need to be able to the mknod the auditsession device with a controlled the minor number.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
Attachment: auditsession_oob. c
Related
zdt
zdt
prion
prion
Buffer overflow
2017-04-02 01:59:00
cve
cve
CVE-2017-2483
2017-04-02 01:59:00
apple
apple
About the security content of watchOS 3.2 - Apple Support
2017-04-04 03:34:42
About the security content of watchOS 3.2
2017-03-27 00:00:00
About the security content of tvOS 10.2 - Apple Support
2017-06-20 10:43:59
nessus
nessus
Mac OS X 10.x < 10.12.4 Multiple Vulnerabilities
2017-03-31 00:00:00
Apple TV < 10.2 Multiple Vulnerabilities
2017-04-02 00:00:00
Apple TV < 10.2 Multiple Vulnerabilities
2017-04-10 00:00:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities-HT207615
2017-03-31 00:00:00