Lucene search
Google Security Research1337DAY-ID-27801HistoryMay 19, 2017 - 12:00 a.m.
MacOS Insecure Swap File Vulnerability
2017-05-1900:00:00
Google Security Research
0day.today
28
EPSS
0.001
Percentile
36.4%
It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0 on MacOS.
MacOS uses an insecure swap file
CVE-2017-2494
This came out of a discussion with Jann Horn this afternoon; credit is his.
It turns out that even with SIP enabled a regular root user can write to the swapfile under /private/var/vm/swapfile0.
That file is created on demand when the system starts to swap; if you can't see it increase system load.
Then as root (with SIP enabled) do:
cat /dev/urandom > /private/var/vm/swapfile0
We observed multiple interesting-looking kernel panics including in the swapfile decompression code and also the intel GPU driver doing something with GPU pages.
Found by: ianbeer
# 0day.today [2018-04-02] #Related
cvelist
cvelist
CVE-2017-2494
2017-05-22 04:54:00
prion
prion
Memory corruption
2017-05-22 05:29:00
nvd
nvd
CVE-2017-2494
2017-05-22 05:29:00
cve
cve
CVE-2017-2494
2017-05-22 05:29:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities (HT207797)
2017-05-16 00:00:00
nessus
nessus
macOS 10.12.x < 10.12.5 Multiple Vulnerabilities
2017-05-18 00:00:00
