Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGoogle Security Research1337DAY-ID-30278
HistoryMay 01, 2018 - 12:00 a.m.

macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rul

2018-05-0100:00:00
Google Security Research
0day.today
16

0.003 Low

EPSS

Percentile

65.2%

JSON

Exploit for macOS platform in category dos / poc

Here's a kextd method exposed via MIG (com.apple.KernelExtensionServer)
 
  kern_return_t _kextmanager_unlock_kextload(
      mach_port_t server,
      mach_port_t client)
  {
      kern_return_t mig_result = KERN_FAILURE;
       
      if (gClientUID != 0) {
          OSKextLog(/* kext */ NULL,
              kOSKextLogErrorLevel | kOSKextLogIPCFlag,
              "Non-root kextutil doesn't need to lock/unlock.");
          mig_result = KERN_SUCCESS;
          goto finish;
      }
       
      if (client != (mach_port_t)dispatch_source_get_handle(_gKextutilLock)) {
          OSKextLog(/* kext */ NULL,
              kOSKextLogErrorLevel | kOSKextLogIPCFlag,
              "%d not used to lock for kextutil.", client);
          goto finish;
      }
 
      removeKextutilLock();
       
      mig_result = KERN_SUCCESS;
       
  finish:    
      // we don't need the extra send right added by MiG
      mach_port_deallocate(mach_task_self(), client);
       
      return mig_result;
  }
 
If the client has UID 0 but passes an invalid client port this code will
drop a UREF on client port then return KERN_FAILURE.
 
Returning KERN_FAILURE in MIG means all resources will be released which will
cause client to be passed to mach_port_deallocate again, even though only 
one UREF was taken.
 
You'll have to use a debugger attached to kextd to see this behaviour.
 
This class of bug is exploitable; please see the writeup for mach_portal from 2016
where I exploited a similar issue [https://bugs.chromium.org/p/project-zero/issues/detail?id=959]
The TL;DR is that an attacker can drop an extra UREF on any send rights in kextd for which the
attacker also has a send right; you could use this to cause a name for a privileged service
to be deallocated then cause the name to be reused to name a port you control.
 
Exploitation of this would be a privesc from unentitled root to root with
com.apple.rootless.kext-management and com.apple.rootless.storage.KernelExtensionManagement entitlements,
which at least last time I looked was equal to kernel code execution.
 
tested on MacOS 10.13.2
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44561.zip

#  0day.today [2018-05-07]  #

Related

cve 1
prion 1
exploitpack 1
exploitdb 1
zdt 1
openvas 1
nessus 2
apple 2
cve
cve
CVE-2018-4139
2018-04-03 06:29:00
prion
prion
Memory corruption
2018-04-03 06:29:00
exploitpack
exploitpack
iOSmacOS - task_swap_mach_voucher() Use-After-Free
2019-01-25 00:00:00
exploitdb
exploitdb
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
2019-01-25 00:00:00
zdt
zdt
iOS / macOS - task_swap_mach_voucher() Use-After-Free Exploit
2019-01-25 00:00:00
openvas
openvas
Apple MacOSX Security Updates(HT208692)-02
2018-04-02 00:00:00
nessus
nessus
macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-002)
2018-04-02 00:00:00
macOS 10.13.x < 10.13.4 Multiple Vulnerabilities
2018-04-02 00:00:00
apple
apple
About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan - Apple Support
2019-05-15 09:12:42
About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan
2018-03-29 00:00:00

0.003 Low

EPSS

Percentile

65.2%

JSON
Related for 1337DAY-ID-30278
cve1prion1exploitpack1exploitdb1zdt1openvas1nessus2apple2