bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/45648.txt
Offensive Security defa138d04 DB: 2018-10-23 
17 changes to exploits/shellcodes

Modbus Poll 7.2.2 - Denial of Service (PoC)
AudaCity 2.3 - Denial of Service (PoC)
Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking
Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value
Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas

Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)

Countly - Persistent Cross-Site Scripting
Countly - Cross-Site Scripting
MySQL Edit Table 1.0 - 'id' SQL Injection
School ERP Ultimate 2018 - Arbitrary File Download
Oracle Siebel CRM 8.1.1 - CSV Injection
The Open ISES Project 3.30A - 'tick_lat' SQL Injection
School ERP Ultimate 2018 - 'fid' SQL Injection
eNdonesia Portal 8.7 - 'artid' SQL Injection
The Open ISES Project 3.30A - Arbitrary File Download
Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection
2018-10-23 05:01:48 +00:00

36 lines
No EOL
2 KiB
Text
Raw Blame History

io_hideventsystem is a MIG service which provides proxy access to various HID devices for untrusted
clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is
in IOKit.framework.
I, and also pangu jailbreak team, had previously found a few bugs in the kernel IODataQueue code.
It seems that io_hideventsystem also uses IODataQueues purely in userspace. That is, via shared
memory between two userspace processes rather than between a userspace process and the kernel.
It turns out that the userspace code for enqueuing and dequeuing from an IODataQueue has none
of the hardening that the kernel code now has, so it's trivial to just replace the length, head
and tail fields (which are in a header at the start of the shared memory buffer) such that
the remote process tries to enqueue outside of the bounds of the IODataQueue's actual backing
buffer.
This is a very basic PoC thrown together to minimally repro the issue.
Run build.sh and run.sh, use the mouse a bit and notice the hidd crash log. Don't try to attach lldb to hidd, you will
struggle to interact with it!
Specifically the server will allocate a buffer wrapped by a mach port (via mach_make_memory_entry_64)
then in the client you can see inside IOHIDEventQueueCreateWithVM the port's memory being mapped.
The attached dylib just interposes mach_vm_map to replace the size and tail fields once the shared
memory is mapped in the client.
I've also tested this on iOS just manually manipulating the shared memory after it's mapped.
Depending on how clients use io_hideventsystem it might be possible to hop first in to backboardd
then in to another client (if that client is also enqueuing events into a queue) but that will
take some more research.
Tested on MacOS 10.13.6 and iOS 11.3.1 (that's the highest version I have on a device with me right now.)
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45648.zip
Reference in a new issue View git blame Copy permalink