Lucene search
RootSSV:92892HistoryApr 04, 2017 - 12:00 a.m.
MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig (CVE-2017-2443)
2017-04-0400:00:00
Root
www.seebug.org
20
0.002 Low
EPSS
Percentile
57.2%
Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig
This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it uses to index an array of pointers with no bounds checking:
This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer on which a virtual method is called. With some heap grooming this could be used to get the kernel code execution.
tested on MacOS Sierra 10.12.2 (16C67)
Attachment: capri_exec. c
Related
zdt
zdt
cve
cve
CVE-2017-2443
2017-04-02 01:59:00
prion
prion
Memory corruption
2017-04-02 01:59:00
nessus
nessus
Mac OS X 10.x < 10.12.4 Multiple Vulnerabilities
2017-03-31 00:00:00
macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)
2017-03-31 00:00:00
apple
apple
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities (HT207615)
2017-03-31 00:00:00