HackDig : Dig high-quality web security articles for hacker

Mac OS X 10.10.2 IOHIDFamily.kext IOHIDSecurePromptClient Heap Overflow

2015-03-19 09:55
Hello,

I have recently found an exploitable heap overflow in a core OS X driver.
Particularly, the injectString function is vulnerable to an heap overflow and can be triggered without privileges of
any kind.

The vulnerable function can be seen at
http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp

I wrote a weaponized poc at http://github.com/kpwn/vpwn.

The KASLR leak is not reliable. It works only on Macs with AMD (no FirePro) GPUs. (Tested on a last gen 5K Retina iMac).
It was the only one I'd sacrifice for a public PoC because of that constraint.

It does not completely clean up it's own mess, so running ioreg after running the PoC will likely crash your box.

The particular IOKit service has been involved in a CVE in October. It had functions that could literally not be used
without crashing the kernel.
There still are other unsafe functions in that very same file. Apple has disabled the service in particular on the
latest 10.10.3 beta possible due to those other bugs. I do not believe they are aware of this issue in particular. But
this is pure speculation, and it doesn't matter in the end, since the vulnerability cannot be triggered anymore.

Let me know what you think,
Luca Todesco.
-qwertyoruiop

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 021/raM/5102/erusolcsidlluf/gro.stsilces

Read:4869 | Comments:0 | Tags:No Tag

“Mac OS X 10.10.2 IOHIDFamily.kext IOHIDSecurePromptClient Heap Overflow”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud