Vulnerabilities > CVE-2016-1823 - Out-of-bounds Read vulnerability in Apple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The IOHIDDevice::handleReportWithTime function in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read and memory corruption) via a crafted IOHIDReportType enum, which triggers an incorrect cast, a different vulnerability than CVE-2016-1824.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Exploit-Db
| description | OS X Kernel - OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type. CVE-2016-1823. Dos exploit for osx platform |
| file | exploits/osx/dos/39927.c |
| id | EDB-ID:39927 |
| last seen | 2016-06-11 |
| modified | 2016-06-10 |
| platform | osx |
| port | |
| published | 2016-06-10 |
| reporter | Google Security Research |
| source | https://www.exploit-db.com/download/39927/ |
| title | OS X Kernel - OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type |
| type | dos |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_10_11_5.NASL description The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.5. It is, therefore, affected by multiple vulnerabilities in the following components : - AMD - apache_mod_php - AppleGraphicsControl - AppleGraphicsPowerManagement - Assistant - ATS - Audio - Captive - CFNetwork - CommonCrypto - CoreCapture - CoreStorage - Crash - Disk - Disk - Driver - Drivers - Drivers - Graphics - Graphics - Graphics - ImageIO - Images - Intel - IOAcceleratorFamily - IOAudioFamily - IOFireWireFamily - IOHIDFamily - Kernel - libc - libxml2 - libxslt - Lock - MapKit - Messages - Multi-Touch - Network - NVIDIA - OpenGL - Proxies - QuickTime - Reporter - SceneKit - Screen - Tcl - Utility Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 91228 published 2016-05-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91228 title Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(91228); script_version("1.10"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2016-1792", "CVE-2016-1793", "CVE-2016-1794", "CVE-2016-1795", "CVE-2016-1796", "CVE-2016-1797", "CVE-2016-1798", "CVE-2016-1799", "CVE-2016-1801", "CVE-2016-1802", "CVE-2016-1803", "CVE-2016-1804", "CVE-2016-1805", "CVE-2016-1806", "CVE-2016-1807", "CVE-2016-1808", "CVE-2016-1809", "CVE-2016-1810", "CVE-2016-1811", "CVE-2016-1812", "CVE-2016-1813", "CVE-2016-1814", "CVE-2016-1815", "CVE-2016-1816", "CVE-2016-1817", "CVE-2016-1818", "CVE-2016-1819", "CVE-2016-1820", "CVE-2016-1821", "CVE-2016-1822", "CVE-2016-1823", "CVE-2016-1824", "CVE-2016-1825", "CVE-2016-1826", "CVE-2016-1827", "CVE-2016-1828", "CVE-2016-1829", "CVE-2016-1830", "CVE-2016-1831", "CVE-2016-1832", "CVE-2016-1833", "CVE-2016-1834", "CVE-2016-1835", "CVE-2016-1836", "CVE-2016-1837", "CVE-2016-1838", "CVE-2016-1839", "CVE-2016-1840", "CVE-2016-1842", "CVE-2016-1843", "CVE-2016-1844", "CVE-2016-1846", "CVE-2016-1848", "CVE-2016-1850", "CVE-2016-1851", "CVE-2016-1853", "CVE-2016-1861", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-4070", "CVE-2016-4071", "CVE-2016-4072", "CVE-2016-4073", "CVE-2016-4650" ); script_bugtraq_id( 84271, 84306, 85800, 85801, 85991, 85993, 90692, 90694, 90696, 90697, 90698, 90801, 91353, 92034 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2016-05-16-4"); script_name(english:"Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Mac OS X."); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.5. It is, therefore, affected by multiple vulnerabilities in the following components : - AMD - apache_mod_php - AppleGraphicsControl - AppleGraphicsPowerManagement - Assistant - ATS - Audio - Captive - CFNetwork - CommonCrypto - CoreCapture - CoreStorage - Crash - Disk - Disk - Driver - Drivers - Drivers - Graphics - Graphics - Graphics - ImageIO - Images - Intel - IOAcceleratorFamily - IOAudioFamily - IOFireWireFamily - IOHIDFamily - Kernel - libc - libxml2 - libxslt - Lock - MapKit - Messages - Multi-Touch - Network - NVIDIA - OpenGL - Proxies - QuickTime - Reporter - SceneKit - Screen - Tcl - Utility Note that successful exploitation of the most serious issues can result in arbitrary code execution."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT206567"); # http://lists.apple.com/archives/security-announce/2016/May/msg00004.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?46de3fda"); script_set_attribute(attribute:"solution", value: "Upgrade to Mac OS X version 10.11.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4650"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/19"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Cannot determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); match = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]+)+)", string:os); if (isnull(match)) exit(1, "Failed to parse the Mac OS X version ('" + os + "')."); version = match[1]; if ( version !~ "^10\.11([^0-9]|$)" ) audit(AUDIT_OS_NOT, "Mac OS X 10.11 or later", "Mac OS X "+version); fix = "10.11.5"; if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { items = make_array("Installed version", version, "Fixed version", fix ); order = make_list("Installed version", "Fixed version"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "Mac OS X", version);NASL family MacOS X Local Security Checks NASL id MACOS_10_12_2.NASL description The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - AppleGraphicsPowerManagement - Assets - Audio - Bluetooth - CoreCapture - CoreFoundation - CoreGraphics - CoreMedia External Displays - CoreMedia Playback - CoreStorage - CoreText - curl - Directory Services - Disk Images - FontParser - Foundation - Grapher - ICU - ImageIO - Intel Graphics Driver - IOFireWireFamily - IOAcceleratorFamily - IOHIDFamily - IOKit - IOSurface - Kernel - kext tools - libarchive - LibreSSL - OpenLDAP - OpenPAM - OpenSSL - Power Management - Security - syslog - WiFi - xar Note that successful exploitation of the most serious issues can result in arbitrary code execution. Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions. last seen 2020-06-01 modified 2020-06-02 plugin id 95917 published 2016-12-16 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95917 title macOS 10.12.x < 10.12.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(95917); script_version("1.9"); script_cvs_date("Date: 2020/01/07"); script_cve_id( "CVE-2016-1777", "CVE-2016-1823", "CVE-2016-4688", "CVE-2016-4691", "CVE-2016-4693", "CVE-2016-5419", "CVE-2016-5420", "CVE-2016-5421", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-7141", "CVE-2016-7167", "CVE-2016-7411", "CVE-2016-7412", "CVE-2016-7413", "CVE-2016-7414", "CVE-2016-7416", "CVE-2016-7417", "CVE-2016-7418", "CVE-2016-7588", "CVE-2016-7591", "CVE-2016-7594", "CVE-2016-7595", "CVE-2016-7596", "CVE-2016-7600", "CVE-2016-7602", "CVE-2016-7603", "CVE-2016-7604", "CVE-2016-7605", "CVE-2016-7606", "CVE-2016-7607", "CVE-2016-7608", "CVE-2016-7609", "CVE-2016-7612", "CVE-2016-7615", "CVE-2016-7616", "CVE-2016-7617", "CVE-2016-7618", "CVE-2016-7619", "CVE-2016-7620", "CVE-2016-7621", "CVE-2016-7622", "CVE-2016-7624", "CVE-2016-7625", "CVE-2016-7627", "CVE-2016-7628", "CVE-2016-7629", "CVE-2016-7633", "CVE-2016-7636", "CVE-2016-7637", "CVE-2016-7643", "CVE-2016-7644", "CVE-2016-7655", "CVE-2016-7657", "CVE-2016-7658", "CVE-2016-7659", "CVE-2016-7660", "CVE-2016-7661", "CVE-2016-7662", "CVE-2016-7663", "CVE-2016-7714", "CVE-2016-7742", "CVE-2016-7761", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625" ); script_bugtraq_id( 85054, 90698, 92292, 92306, 92309, 92754, 92975, 92984, 93004, 93005, 93006, 93007, 93008, 93009, 93011, 93150, 94094, 94096, 94097, 94098, 94100, 94101, 94102, 94103, 94105, 94106, 94107, 94572, 94903, 94904, 94905, 94906 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2016-12-13-1"); script_name(english:"macOS 10.12.x < 10.12.2 Multiple Vulnerabilities"); script_summary(english:"Checks the version of macOS."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS update that fixes multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - AppleGraphicsPowerManagement - Assets - Audio - Bluetooth - CoreCapture - CoreFoundation - CoreGraphics - CoreMedia External Displays - CoreMedia Playback - CoreStorage - CoreText - curl - Directory Services - Disk Images - FontParser - Foundation - Grapher - ICU - ImageIO - Intel Graphics Driver - IOFireWireFamily - IOAcceleratorFamily - IOHIDFamily - IOKit - IOSurface - Kernel - kext tools - libarchive - LibreSSL - OpenLDAP - OpenPAM - OpenSSL - Power Management - Security - syslog - WiFi - xar Note that successful exploitation of the most serious issues can result in arbitrary code execution. Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT207423"); # http://lists.apple.com/archives/security-announce/2016/Dec/msg00003.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?38dabd46"); script_set_attribute(attribute:"solution", value: "Upgrade to macOS version 10.12.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-7644"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("vcf.inc"); include("vcf_extras_apple.inc"); app_info = vcf::apple::get_macos_info(); vcf::apple::check_macos_restrictions(restrictions:['10.12']); constraints = [{ "fixed_version" : "10.12.2" }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Misc. NASL id APPLETV_9_2_1.NASL description According to its banner, the version of the remote Apple TV device is prior to 9.2.1. It is, therefore, affected by multiple vulnerabilities in the following components : - CFNetwork Proxies - CommonCrypto - CoreCapture - Disk Images - ImageIO - IOAcceleratorFamily - IOHIDFamily - Kernel - libc - libxml2 - libxslt - OpenGL - WebKit - WebKit Canvas Note that only 4th generation models are affected by the vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 91311 published 2016-05-24 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91311 title Apple TV < 9.2.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(91311); script_version("1.9"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-1801", "CVE-2016-1802", "CVE-2016-1803", "CVE-2016-1807", "CVE-2016-1808", "CVE-2016-1811", "CVE-2016-1813", "CVE-2016-1814", "CVE-2016-1817", "CVE-2016-1818", "CVE-2016-1819", "CVE-2016-1823", "CVE-2016-1824", "CVE-2016-1827", "CVE-2016-1828", "CVE-2016-1829", "CVE-2016-1830", "CVE-2016-1832", "CVE-2016-1833", "CVE-2016-1834", "CVE-2016-1836", "CVE-2016-1837", "CVE-2016-1838", "CVE-2016-1839", "CVE-2016-1840", "CVE-2016-1841", "CVE-2016-1847", "CVE-2016-1854", "CVE-2016-1855", "CVE-2016-1856", "CVE-2016-1857", "CVE-2016-1858", "CVE-2016-1859", "CVE-2016-4650" ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2016-05-16-1"); script_name(english:"Apple TV < 9.2.1 Multiple Vulnerabilities"); script_summary(english:"Checks the build number."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of the remote Apple TV device is prior to 9.2.1. It is, therefore, affected by multiple vulnerabilities in the following components : - CFNetwork Proxies - CommonCrypto - CoreCapture - Disk Images - ImageIO - IOAcceleratorFamily - IOHIDFamily - Kernel - libc - libxml2 - libxslt - OpenGL - WebKit - WebKit Canvas Note that only 4th generation models are affected by the vulnerabilities."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT206564"); # https://lists.apple.com/archives/security-announce/2016/May/msg00001.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?618f77f3"); script_set_attribute(attribute:"solution", value: "Upgrade to Apple TV version 9.2.1 or later. Note that this update is only available for 4th generation models."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4650"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("appletv_version.nasl"); script_require_keys("AppleTV/Version", "AppleTV/Model", "AppleTV/URL", "AppleTV/Port"); script_require_ports("Services/www", 7000); exit(0); } include("audit.inc"); include("appletv_func.inc"); url = get_kb_item('AppleTV/URL'); if (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.'); port = get_kb_item('AppleTV/Port'); if (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.'); build = get_kb_item('AppleTV/Version'); if (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV'); model = get_kb_item('AppleTV/Model'); if (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.'); fixed_build = "13Y772"; tvos_ver = '9.2.1'; # determine gen from the model gen = APPLETV_MODEL_GEN[model]; appletv_check_version( build : build, fix : fixed_build, affected_gen : 4, fix_tvos_ver : tvos_ver, model : model, gen : gen, port : port, url : url, severity : SECURITY_HOLE );
References
- http://lists.apple.com/archives/security-announce/2016/May/msg00001.html
- http://lists.apple.com/archives/security-announce/2016/May/msg00002.html
- http://lists.apple.com/archives/security-announce/2016/May/msg00003.html
- http://lists.apple.com/archives/security-announce/2016/May/msg00004.html
- http://packetstormsecurity.com/files/137397/OS-X-Kernel-Raw-Cast-Out-Of-Bounds-Read.html
- http://www.securityfocus.com/bid/90698
- http://www.securitytracker.com/id/1035890
- https://bugs.chromium.org/p/project-zero/issues/detail?id=774
- https://support.apple.com/HT206564
- https://support.apple.com/HT206566
- https://support.apple.com/HT206567
- https://support.apple.com/HT206568
- https://www.exploit-db.com/exploits/39927/