Ally Fashion

Wednesday, October 1, 2014

More Mac OS X and iPhone sandbox escapes and kernel bugs

 ana05     October 01, 2014     No comments   

Posted by Ian Beer

A couple of weeks ago Apple released OS X 10.9.5 and iOS 8 which fixed a number of sandbox escapes and privilege escalation bugs found by Project Zero. All-bar-one of these bugs were found via manual source code auditing where there was source and binary analysis where there wasn’t. As always, click through the bugs for proof-of-concept code and further details:

CVE-2014-4403* [ https://code.google.com/p/google-security-research/issues/detail?id=23 ] was as issue allowing a kernel ASLR bypass on OS X due to insufficient randomization of very early kernel heap allocations, the addresses of which could be leaked using the unprivileged SGDT instruction. This bug could be exploited from within any sandbox on OS X and allowed an attacker to determine the load address of the kernel.

CVE-2014-4394* [ https://code.google.com/p/google-security-research/issues/detail?id=28 ]
CVE-2014-4395* [ https://code.google.com/p/google-security-research/issues/detail?id=29 ]
CVE-2014-4401* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4396* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4397* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4400* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4399* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4398* [ https://code.google.com/p/google-security-research/issues/detail?id=32 ]
CVE-2014-4416* [ https://code.google.com/p/google-security-research/issues/detail?id=34 ]
were all bounds-checking bugs in the driver for the Intel integrated HD GPU present on all current-generation Macs. Eight of these bugs allowed controlled kernel memory corruption from with most sandboxes on OS X (those with access to the GPU such as the Safari renderer process or the Chrome GPU process.)

CVE-2014-4402* [ https://code.google.com/p/google-security-research/issues/detail?id=33 ] was another case of missing bounds checks, this time in another part of the graphics acceleration pipeline.

CVE-2014-4376* [ https://code.google.com/p/google-security-research/issues/detail?id=31 ] was a kernel NULL-pointer dereference when setting up IOKit shared memory. This was exploitable from within some sandboxed 32-bit processes on OS X (for example the Chrome GPU process.) As is true with all these bugs this bug also allows any unsandboxed processes to execute code in the kernel.

CVE-2014-4418 [ https://code.google.com/p/google-security-research/issues/detail?id=36 ]
No CVE* [ https://code.google.com/p/google-security-research/issues/detail?id=35 ]
were bugs affecting OS X and iOS in the implementation of the IOKit IODataQueue class where the kernel trusted index and size fields in shared memory which was mapped into userspace and writable. Looking at the release notes for iOS 8 these bugs seem to be very similar to one used in the recent Pangu Team jailbreak which was released a few days after these bugs were reported to Apple.

CVE-2014-4389 [ https://code.google.com/p/google-security-research/issues/detail?id=39 ]
were integer overflows in the bounds checking code of IODataQueue allowing kernel memory corruption on iOS and OS X.

CVE-2014-4390 [ https://code.google.com/p/google-security-research/issues/detail?id=37 ]
was another shared memory queuing bug, this time in the bluetooth stack.

CVE-2014-4404+ [ https://code.google.com/p/google-security-research/issues/detail?id=40 ]
was an interesting kernel heap overflow when parsing a binary keyboard map which affected iOS and OS X and was reachable by setting an IOKit registry value. See the linked bug for more details along with a PoC demonstrating kernel instruction pointer control.

CVE-2014-4379 [ https://code.google.com/p/google-security-research/issues/detail?id=42 ]
was another bug in the keyboard mapping code affecting iOS and OS X allowing userspace to read arbitrary kernel memory.

CVE-2014-4405+ [ https://code.google.com/p/google-security-research/issues/detail?id=41 ]
was a kernel NULL pointer dereference due to incorrect error handling in the key map parsing code, again see the linked bug for a PoC demonstrating kernel instruction pointer control on OS X.

Finding and eliminating sandbox escapes is an important focus for Project Zero. The attack surface to break out of a sandbox is often smaller than the attack surface available to remote attackers to gain an initial foothold inside a sandbox. Therefore, strengthening sandboxes represents a solid return on investment of time.

Our research seems to indicate that sandbox break-outs on OS X and iOS are an under-researched topic. We’d encourage others to join us in bringing these sandboxes up to strength.

You can keep up-to-date with the latest Project Zero research by subscribing to labels in our bug tracker: https://code.google.com/p/google-security-research/issues/subscriptions

(*) These bugs exceeded Project Zero’s standard 90-day disclosure deadline.
(+) These bugs were only fixed on iOS and remain unpatched on OS X.


  • Share This:  
  •  Facebook
  •  Twitter
  •  Google+
  •  Stumble
  •  Digg
Email ThisBlogThis!Share to XShare to Facebook
Newer Post Older Post Home

0 Comments:

Post a Comment



Popular Posts

  • READY FOR FALL! MY RECOMMENDATIONS
    Autumn is around the corner which means darker tones for makeup! In this post I will be sharing my favourite products for lips, cheeks and e...
  • A tan really completes a make-up look
    We have been obsessed with tanning since we were around 13/14 because we live in England and there is barely any sun here and we look so was...
  • Adobe Photoshop 7.0 Full Version Free Download | Adobe Photoshop 7 Final Version Download | Photoshop 7 Professional Version Download 32-Bit and 64-Bit
    Adobe Photoshop 7 Full Version Free Download Original Adobe Photoshop 7.0 +License Key. Adobe Photoshop 7 Professional Version Free Download...
  • Virtually Unlimited Memory: Escaping the Chrome Sandbox
    Posted by Mark Brand, Exploit Technique Archaeologist. Introduction After discovering a collection of possible sandbox escape vulnerabiliti...
  • Did the “Man With No Name” Feel Insecure?
    Posted by James Forshaw, Taker of Names Sometimes when I'm doing security research I'll come across a bug which surprises me. I disc...
  • Driver Pack Solution 2018 Latest Version Download
    Driver Pack Solution 2018 Latest Version Download Driver Pack Solution 2018 Latest Version Download ISO for Windows User 32 bit & 64 bit...
  • [Ezoteryka PL] Węzły księżycowe - The North Node & The South Node
    Jaki jest cel naszego życia? Patrząc na swoja datę urodzin, możesz wyczytać z niej więcej niż znak zodiaku czy numerologie. Jako, iż postano...

Copyright © Ally Fashion | Powered by Blogger
Design by Hardeep Asrani | Blogger Theme by NewBloggerThemes.com | Distributed By Gooyaabi Templates