bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/ios/dos/45649.txt
Offensive Security defa138d04 DB: 2018-10-23 
17 changes to exploits/shellcodes

Modbus Poll 7.2.2 - Denial of Service (PoC)
AudaCity 2.3 - Denial of Service (PoC)
Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking
Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value
Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas

Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)

Countly - Persistent Cross-Site Scripting
Countly - Cross-Site Scripting
MySQL Edit Table 1.0 - 'id' SQL Injection
School ERP Ultimate 2018 - Arbitrary File Download
Oracle Siebel CRM 8.1.1 - CSV Injection
The Open ISES Project 3.30A - 'tick_lat' SQL Injection
School ERP Ultimate 2018 - 'fid' SQL Injection
eNdonesia Portal 8.7 - 'artid' SQL Injection
The Open ISES Project 3.30A - Arbitrary File Download
Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection
2018-10-23 05:01:48 +00:00

58 lines
No EOL
2.5 KiB
Text
Raw Blame History

Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions:
static void
handle_uncategorized(arm_saved_state_t *state, boolean_t instrLen2)
{
exception_type_t exception = EXC_BAD_INSTRUCTION;
mach_exception_data_type_t codes[2] = {EXC_ARM_UNDEFINED};
mach_msg_type_number_t numcodes = 2;
uint32_t instr; <------ (a)
if (instrLen2) {
uint16_t instr16;
COPYIN(get_saved_state_pc(state), (char *)&instr16, sizeof(instr16));
instr = instr16;
} else {
COPYIN(get_saved_state_pc(state), (char *)&instr, sizeof(instr)); <------- (b)
}
....
else {
codes[1] = instr; <------ (c)
}
}
exception_triage(exception, codes, numcodes); <-------- (d)
At (a) the uint32_t instr is declared uninitialized on the stack.
At (b) the code tries to copyin the bytes of the exception-causing instruction from userspace
note that the COPYIN macro doesn't itself check the return value of copyin, it just calls it.
At (c) instr is assigned to codes[1], which at (d) is passed to exception_triage.
that codes array will eventually end up being sent in an exception mach message.
The bug is that we can force copyin to fail by unmapping the page containing the undefined instruction
while it's being handled. (I tried to do this with XO memory but the kernel seems to be able to copyin that just fine.)
This PoC has an undefined instruction (0xdeadbeef) on its own page and spins up a thread to keep
switching the protection of that page between VM_PROT_NONE and VM_PROT_READ|VM_PROT_EXECUTE.
We then keep spinning up threads which try to execute that undefined instruction.
If the race windows align the thread executes the undefined instruction but when the sleh code tries to copyin
the page is unmapped, the copying fails and the exception message we get has stale stack memory.
This PoC just demonstrates that you do get values which aren't 0xdeadbeef in there for the EXC_ARM_UNDEFINED type.
You'd have to do a bit more fiddling to work out how to get something specific there.
Note that there are lots of other unchecked COPYIN's in sleh.c (eg when userspace tries to access a system register not allowed
for EL0) and these seem to have the same issue.
tested on iPod Touch 6g running 11.3.1, but looking at the kernelcache it seems to still be there in iOS 12.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45649.zip
Reference in a new issue View git blame Copy permalink