31 lines
No EOL
1.5 KiB
Text
31 lines
No EOL
1.5 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831
|
|
|
|
IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference.
|
|
|
|
By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used
|
|
by calling the create_surface_fast_path external method which will try to read and use the memory map off of the free'd task struct.
|
|
|
|
This bug could be leveraged for kernel memory corruption and is reachable from interesting sandboxes including safari and chrome.
|
|
|
|
build: clang -o surfaceroot_uaf surfaceroot_uaf.c -framework IOKit
|
|
|
|
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
|
|
|
|
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
|
|
|
|
#####################################
|
|
|
|
another PoC for "task_t considered harmful"
|
|
since 10.11.6 blocks us from creating userclients with other task's task ports
|
|
this time we create an IOSurface in the child and send back a send right to that
|
|
IOSurface to the parent (rather than sending the child's task port.)
|
|
|
|
The child then execs a suid-root binary which blocks on stderr and the parent
|
|
creates an IOSurface which maps any (writable?) page of the euid-0 process into theirs.
|
|
Overwrite a function pointer and win.
|
|
|
|
No race conditions because the task struct pointer is on the kernel heap, not the stack.
|
|
|
|
|
|
Proofs of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40653.zip |