Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MacOS Insecure Swap File Vulnerability

🗓️ 19 May 2017 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 40 Views

MacOS Insecure Swap File Vulnerability- CVE-2017-249

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Mac OS X 10.x < 10.12.5 Multiple Vulnerabilities
17 May 201700:00
nessus
Tenable Nessus		macOS 10.12.x < 10.12.5 Multiple Vulnerabilities
18 May 201700:00
nessus
Apple		About the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite
15 May 201700:00
apple
Apple		About the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite - Apple Support
8 Jun 201709:43
apple
BDU FSTEC		The vulnerability of the Kernel component of the Mac OS X operating system allows a hacker to trigger a service failure or execute arbitrary code in a privileged context.
15 Jun 201700:00
bdu_fstec
CNVD		Apple macOS Sierra kernel memory corruption elevation of privilege vulnerability
23 May 201700:00
cnvd
CVE		CVE-2017-2494
22 May 201704:54
cve
Cvelist		CVE-2017-2494
22 May 201704:54
cvelist
EUVD		EUVD-2017-11677
7 Oct 202500:30
euvd
NVD		CVE-2017-2494
22 May 201705:29
nvd
Rows per page
MacOS uses an insecure swap file 

CVE-2017-2494


This came out of a discussion with Jann Horn this afternoon; credit is his.

It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0.

That file is created on demand when the system starts to swap; if you can't see it increase system load.

Then as root (with SIP enabled) do:

cat /dev/urandom > /private/var/vm/swapfile0

We observed multiple interesting-looking kernel panics including in the swapfile decompression code and also the intel GPU driver doing something with GPU pages.



Found by: ianbeer

#  0day.today [2018-04-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 May 2017 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.00231
macosinsecureswap filevulnerabilitysipkernel panicsintel gpu driver
40