MacOS Kernel < 10.12.2 / iOS < 10.2 - ipc_port_t Reference Count Leak Due to Incorrect externa

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930
 
IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return
kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via
IOConnectCallAsyncMethod.
 
If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that
they did take ownership and won't release it's reference on the port. This leads to a reference count leak.
 
See the previous bug for more in-depth discussion.
 
This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable.
This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40955.zip

#  0day.today [2018-02-19]  #