{"id": "1337DAY-ID-32475", "bulletinFamily": "exploit", "title": "iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe Exploit", "description": "Exploit for multiple platform in category dos / poc", "published": "2019-04-03T00:00:00", "modified": "2019-04-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/32475", "reporter": "Google Security Research", "references": [], "cvelist": ["CVE-2019-8514"], "type": "zdt", "lastseen": "2019-04-04T23:41:12", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "c0cd4193dd8f70ec4553760d597b574e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "cdc2aa401057df1e80c0829fd5fd09a7"}, {"key": "href", "hash": "5ada42ca45eca3bcaa328aa264ca7c29"}, {"key": "modified", "hash": "3b1dfa26fc1727c75d40fd49f34fe48a"}, {"key": "published", "hash": "3b1dfa26fc1727c75d40fd49f34fe48a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "81a8aed471c1b3b06ec573646a85f0f9"}, {"key": "sourceData", "hash": "710207ffe6ac3dcb35735720d7aefec5"}, {"key": "sourceHref", "hash": "3e94aa3540d699d9ce0d9ad3238573d7"}, {"key": "title", "hash": "0ac1a2c6d58e59a9243110c36a93ec8f"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "1278697ea1be0fa107a965b178504cadc329fd5fb27b21ba471fcb223145a3b6", "viewCount": 10, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2019-04-04T23:41:12"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46648"]}, {"type": "thn", "idList": ["THN:7E4DBFD0E034C7DF2A58395049033C66"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815009"]}], "modified": "2019-04-04T23:41:12"}, "vulnersScore": 0.0}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/32475", "sourceData": "iOS < 12.2 / #macOS < 10.14.4 #XNU - pidversion Increment During execve is Unsafe Exploit\r\n\r\nPrivileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible:\r\n\r\n1. The (unprivileged) client process sends an IPC message to a privileged service\r\n2. The client process terminates and spawns a privileged process into its PID\r\n3. The privileged service performs the security check, but since the PID has been reused it performs it on the wrong process\r\n\r\nThis attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token. In contrast to the PID, which wraps around at 100000, the audit_token additionally contains the pidversion, which is in essence a 32-bit PID (from bsd/kern/kern_fork.c):\r\n\r\n proc_t\r\n forkproc(proc_t parent_proc)\r\n {\r\n static int nextpid = 0, pidwrap = 0, nextpidversion = 0;\r\n ...;\r\n\r\n /* Repeat until nextpid is a currently unused PID. */\r\n nextpid++;\r\n ...;\r\n\r\n nprocs++;\r\n child_proc->p_pid = nextpid;\r\n child_proc->p_responsible_pid = nextpid;\r\n child_proc->p_idversion = nextpidversion++;\r\n ...;\r\n\r\nWhen using audit_tokens, the previously described attack would now require creating two different processes which have the same pair of (pid, pidversion), which in turn would require spawning roughly 2**32 processes to wrap around the pidversion. However, the pidversion is additionally incremented during execve (from bsd/kern/kern_exec.c):\r\n\r\n /* Update the process' identity version and set the security token */\r\n p->p_idversion++;\r\n\r\nThis is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented \"ad-hoc\", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion:\r\n\r\n1. The initial exploit process is identified by the pair (pid: X, pidversion: Y)\r\n2. The exploit performs 10000 execves to get (X, Y + 100000)\r\n3. The exploit interacts with a privileged service which stores the client's audit_token (or directly uses it, in which case the following part becomes a race)\r\n4. The exploit forks, with the parent processes immediately terminating, until it has the same PID again. This could, for example, require 99000 forks (because some PIDs are in use). The process now has (X, Y + 99000)\r\n5. The exploit execves until it has (X, Y + 99999)\r\n6. The exploit execves a privileged binary. The privileged binary will have (X, Y + 100000)\r\n7. At this time the privileged service performs a security check of the client but will perform this check on the entitled process even though the request came from an unprivileged process\r\n\r\nThe attached PoC demonstrates this by showing that an IPC service can be tricked into believing that the client has a specific entitlement. To reproduce:\r\n\r\n1. compile the attached code: `make`\r\n2. start the helper service: `./service`. The service simply prints the value of a predefined entitlement (currently \"com.apple.private.AuthorizationServices\") of a connected client\r\n3. in a separate shell start the exploit: `./exploit`.\r\n4. once the exploit prints \"[+] All done. Spawning sudo now\", press enter in the shell where the helper service is running. It should now print the value of the entitlement.\r\n\r\nThe gained primitive (obtaining more or less arbitrary entitlements) can then e.g. be used as described here: https://gist.github.com/ChiChou/e3a50f00853b2fbfb1debad46e501121. Besides entitlements, it should also be possible to spoof code signatures this way. Furthermore, it might be possible to use this bug for a sandbox escape if one is able to somehow perform execve (there are multiple sandboxed services and applications that have (allow process-exec) in their sandbox profile for example). In that case, one could spawn a non-sandboxed system service into the same (pid, pidversion) pair prior to performing some IPC operations where the endpoint will do a sandbox_check_by_audit_token. However, precisely spawning a non-sandboxed process into the same (pid, pidversion) will likely be a lot less reliable.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46648.zip\n\n# 0day.today [2019-04-04] #"}

{"exploitdb": [{"lastseen": "2019-04-03T18:03:22", "bulletinFamily": "exploit", "description": "", "modified": "2019-04-03T00:00:00", "published": "2019-04-03T00:00:00", "id": "EDB-ID:46648", "href": "https://www.exploit-db.com/exploits/46648", "type": "exploitdb", "title": "iOS &lt; 12.2 / macOS &lt; 10.14.4 XNU - pidversion Increment During execve is Unsafe", "sourceData": "Privileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible:\r\n\r\n1. The (unprivileged) client process sends an IPC message to a privileged service\r\n2. The client process terminates and spawns a privileged process into its PID\r\n3. The privileged service performs the security check, but since the PID has been reused it performs it on the wrong process\r\n\r\nThis attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token. In contrast to the PID, which wraps around at 100000, the audit_token additionally contains the pidversion, which is in essence a 32-bit PID (from bsd/kern/kern_fork.c):\r\n\r\n proc_t\r\n forkproc(proc_t parent_proc)\r\n {\r\n static int nextpid = 0, pidwrap = 0, nextpidversion = 0;\r\n ...;\r\n\r\n /* Repeat until nextpid is a currently unused PID. */\r\n nextpid++;\r\n ...;\r\n\r\n nprocs++;\r\n child_proc->p_pid = nextpid;\r\n child_proc->p_responsible_pid = nextpid;\r\n child_proc->p_idversion = nextpidversion++;\r\n ...;\r\n\r\nWhen using audit_tokens, the previously described attack would now require creating two different processes which have the same pair of (pid, pidversion), which in turn would require spawning roughly 2**32 processes to wrap around the pidversion. However, the pidversion is additionally incremented during execve (from bsd/kern/kern_exec.c):\r\n\r\n /* Update the process' identity version and set the security token */\r\n p->p_idversion++;\r\n\r\nThis is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented \"ad-hoc\", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion:\r\n\r\n1. The initial exploit process is identified by the pair (pid: X, pidversion: Y)\r\n2. The exploit performs 10000 execves to get (X, Y + 100000)\r\n3. The exploit interacts with a privileged service which stores the client's audit_token (or directly uses it, in which case the following part becomes a race)\r\n4. The exploit forks, with the parent processes immediately terminating, until it has the same PID again. This could, for example, require 99000 forks (because some PIDs are in use). The process now has (X, Y + 99000)\r\n5. The exploit execves until it has (X, Y + 99999)\r\n6. The exploit execves a privileged binary. The privileged binary will have (X, Y + 100000)\r\n7. At this time the privileged service performs a security check of the client but will perform this check on the entitled process even though the request came from an unprivileged process\r\n\r\nThe attached PoC demonstrates this by showing that an IPC service can be tricked into believing that the client has a specific entitlement. To reproduce:\r\n\r\n1. compile the attached code: `make`\r\n2. start the helper service: `./service`. The service simply prints the value of a predefined entitlement (currently \"com.apple.private.AuthorizationServices\") of a connected client\r\n3. in a separate shell start the exploit: `./exploit`.\r\n4. once the exploit prints \"[+] All done. Spawning sudo now\", press enter in the shell where the helper service is running. It should now print the value of the entitlement.\r\n\r\nThe gained primitive (obtaining more or less arbitrary entitlements) can then e.g. be used as described here: https://gist.github.com/ChiChou/e3a50f00853b2fbfb1debad46e501121. Besides entitlements, it should also be possible to spoof code signatures this way. Furthermore, it might be possible to use this bug for a sandbox escape if one is able to somehow perform execve (there are multiple sandboxed services and applications that have (allow process-exec) in their sandbox profile for example). In that case, one could spawn a non-sandboxed system service into the same (pid, pidversion) pair prior to performing some IPC operations where the endpoint will do a sandbox_check_by_audit_token. However, precisely spawning a non-sandboxed process into the same (pid, pidversion) will likely be a lot less reliable.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46648.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46648"}], "thn": [{"lastseen": "2019-03-26T09:26:45", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-ZqprYHzgFPU/XJnZJwjGb9I/AAAAAAAAzlw/KI0KRkH8uLQqLhGv-wbNoZkWh49GVl-uACLcBGAs/s728-e100/ios-update-iphone-security.png>)\n\nApple on Monday released iOS 12.2 to patch a total of 51 security vulnerabilities in its mobile operating system that affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. \n \nA majority of vulnerabilities Apple patched this month reside in its web rendering engine WebKit, which is used by many apps and web browsers running on the Apple's operating system. \n \nAccording to the [advisory](<https://support.apple.com/en-in/HT209599>), just opening a maliciously crafted web content using any vulnerable WebKit-based application could allow remote attackers to execute arbitrary code, disclose sensitive user information, bypass sandbox restrictions, or launch universal cross-site scripting attacks on the device. \n\n\n \nAmong the WebKit vulnerabilities include a consistency issue (CVE-2019-6222) that allows malicious websites to potentially access an iOS device microphone without the \"microphone-in-use\" indicator being shown. \n \nA similar vulnerability (CVE-2019-8566) has been patched in Apple's ReplayKit API that could allow a malicious application to access the iOS device\u2019s microphone without alerting the user. \n \n\n\n> \"An API issue existed in the handling of microphone data. This issue was addressed with improved validation,\" Apple says in its advisory briefing the ReplayKit bug.\n\n \nApple has also patched a serious logical bug (CVE-2019-8503) in WebKit that could have allowed malicious websites to execute scripts in the context of another site, allowing them to steal your information stored on other sites or launch a wide-range of online attacks. \n \nBesides WebKit issues, the advisory also revealed the existence of a critical flaw in earlier iOS versions that could lead to arbitrary code execution just by convincing victims into clicking a malicious SMS link. \n\n\n \nThe SMS vulnerability, identified as CVE-2019-8553, appears to affect iPhone 5s and later, iPad Air and later, and iPod touch 6th generation devices. \n \nApple has also patched a total of six vulnerabilities in iOS kernel, of which CVE-2019-8527 could allow a remote attacker to crash the system or corrupt kernel memory, CVE-2019-8514 could be used to elevate privileges, and rest allow malicious apps to read memory layout. \n \nThe technical details and proof-of-concept code for the newly patched flaws are yet unavailable. \n \nTo check for the update on your iPhone or iPad, go to Settings\u2192 General \u2192 Software Update and click the 'Download and Install' button. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-03-26T08:44:59", "published": "2019-03-26T08:44:00", "id": "THN:7E4DBFD0E034C7DF2A58395049033C66", "href": "https://thehackernews.com/2019/03/ios-update-iphone-security.html", "type": "thn", "title": "Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-05-24T10:31:57", "bulletinFamily": "scanner", "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2019-05-22T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310815009", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815009", "title": "Apple MacOSX Security Updates(HT209600)-04", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815009\");\n script_version(\"2019-05-22T13:43:48+0000\");\n script_cve_id(\"CVE-2019-8502\", \"CVE-2019-8546\", \"CVE-2019-8545\", \"CVE-2019-8542\",\n \"CVE-2019-8549\", \"CVE-2019-6237\", \"CVE-2019-6239\", \"CVE-2019-7293\",\n \"CVE-2019-8565\", \"CVE-2019-8519\", \"CVE-2019-8533\", \"CVE-2019-8511\",\n \"CVE-2019-8514\", \"CVE-2019-8517\", \"CVE-2019-8516\", \"CVE-2019-8537\",\n \"CVE-2019-8550\", \"CVE-2019-8552\", \"CVE-2019-8507\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 13:43:48 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 15:43:30 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Apple MacOSX Security Updates(HT209600)-04\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An API issue existed in the handling of dictation requests.\n\n - An access issue related to sandbox restrictions.\n\n - A memory corruption issue related to improper state management.\n\n - A buffer overflow error improper bounds checking.\n\n - Multiple input validation issues existed in MIG generated code.\n\n - An out-of-bounds read related to improper bounds checking.\n\n - This issue related to improper handling of file metadata.\n\n - A memory corruption issue related to improper memory handling.\n\n - A race condition was addressed with additional validation.\n\n - A lock handling issue related to improper lock handling.\n\n - A buffer overflow issue related to improper memory handling.\n\n - A logic issue was addressed with improved state management.\n\n - A validation issue was addressed with improved logic.\n\n - An access issue was addressed with improved memory management.\n\n - An issue existed in the pausing of FaceTime video.\n\n - A memory initialization issue was addressed with improved memory handling.\n\n - Multiple memory corruption issues related to improper input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allow attackers\n to view sensitive user information, elevate privileges, cause unexpected system\n termination and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.14.x through 10.14.3.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.14.4 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT209600\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.14\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"ssh_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName){\n exit(0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.14\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif(version_in_range(version:osVer, test_version:\"10.14\",test_version2:\"10.14.3\"))\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.14.4\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}