Vulnerabilities > CVE-2017-2360 - Use After Free vulnerability in multiple products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
apple
webkitgtk
CWE-416
critical
nessus
exploit available

Summary

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app.

Vulnerable Configurations

Part Description Count
OS
Apple
317
Application
Webkitgtk
239

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionmacOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free. CVE-2017-2360. Dos exploit for Multiple platform. Tags: Denial of Service (DoS)
fileexploits/multiple/dos/41165.c
idEDB-ID:41165
last seen2017-01-26
modified2017-01-26
platformmultiple
port
published2017-01-26
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41165/
titlemacOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free
typedos

Nessus

  • NASL familyMisc.
    NASL idAPPLETV_10_1_1.NASL
    descriptionAccording to its banner, the version of Apple TV on the remote device is prior to 10.1.1. It is, therefore, affected by multiple vulnerabilities : - A stack-based buffer overflow condition exists in libarchive in the bsdtar_expand_char() function within file util.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this, via a specially crafted archive, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-8687) - A prototype access flaw exists in WebKit when handling exceptions. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to disclose cross-origin data. (CVE-2017-2350) - A type confusion error exists in WebKit when handling SearchInputType objects due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to execute arbitrary code. (CVE-2017-2354) - An unspecified memory initialization flaw exists in WebKit that allows an unauthenticated, remote attacker to execute arbitrary code via specially crafted web content. (CVE-2017-2355) - Multiple memory corruption issues exist in WebKit due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit these, via specially crafted web content, to execute arbitrary code. (CVE-2017-2356, CVE-2017-2362, CVE-2017-2369, CVE-2017-2373) - A use-after-free error exists in the host_self_trap mach trap. A local attacker can exploit this, via a specially crafted application, to dereference already freed memory and thereby execute arbitrary code with kernel privileges. (CVE-2017-2360) - A flaw exists in WebKit when handling page loading due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to disclose cross-origin data. (CVE-2017-2363) - A flaw exists in WebKit when handling variables due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to disclose cross-origin data. (CVE-2017-2365) - A heap buffer overflow condition exists in the mach_voucher_extract_attr_recipe_trap() function due to improper validation of certain unspecified input. A local attacker can exploit this, via a specially crafted application, to cause a denial of service condition or the execution of arbitrary code with kernel privileges. (CVE-2017-2370) Note that only 4th generation models are affected by these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id96877
    published2017-01-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96877
    titleApple TV < 10.1.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96877);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2016-8687",
        "CVE-2017-2350",
        "CVE-2017-2354",
        "CVE-2017-2355",
        "CVE-2017-2356",
        "CVE-2017-2360",
        "CVE-2017-2362",
        "CVE-2017-2363",
        "CVE-2017-2365",
        "CVE-2017-2369",
        "CVE-2017-2370",
        "CVE-2017-2373"
      );
      script_bugtraq_id(
        93781,
        95727,
        95728,
        95729,
        95731,
        95736
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2017-01-23-4");
    
      script_name(english:"Apple TV < 10.1.1 Multiple Vulnerabilities");
      script_summary(english:"Checks the build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Apple TV device is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of Apple TV on the remote device
    is prior to 10.1.1. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A stack-based buffer overflow condition exists in
        libarchive in the bsdtar_expand_char() function within
        file util.c due to improper validation of certain
        unspecified input. An unauthenticated, remote attacker
        can exploit this, via a specially crafted archive, to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2016-8687)
    
      - A prototype access flaw exists in WebKit when handling
        exceptions. An unauthenticated, remote attacker can
        exploit this, via specially crafted web content, to
        disclose cross-origin data. (CVE-2017-2350)
    
      - A type confusion error exists in WebKit when handling
        SearchInputType objects due to improper validation of
        certain unspecified input. An unauthenticated, remote
        attacker can exploit this, via specially crafted web
        content, to execute arbitrary code. (CVE-2017-2354)
    
      - An unspecified memory initialization flaw exists in
        WebKit that allows an unauthenticated, remote attacker
        to execute arbitrary code via specially crafted web
        content. (CVE-2017-2355)
    
      - Multiple memory corruption issues exist in WebKit due to
        improper validation of certain unspecified input. An
        unauthenticated, remote attacker can exploit these, via
        specially crafted web content, to execute arbitrary
        code. (CVE-2017-2356, CVE-2017-2362, CVE-2017-2369,
        CVE-2017-2373)
    
      - A use-after-free error exists in the host_self_trap mach
        trap. A local attacker can exploit this, via a specially
        crafted application, to dereference already freed memory
        and thereby execute arbitrary code with kernel
        privileges. (CVE-2017-2360)
    
      - A flaw exists in WebKit when handling page loading due
        to improper validation of certain unspecified input.
        An unauthenticated, remote attacker can exploit this,
        via specially crafted web content, to disclose
        cross-origin data. (CVE-2017-2363)
    
      - A flaw exists in WebKit when handling variables due
        to improper validation of certain unspecified input.
        An unauthenticated, remote attacker can exploit this,
        via specially crafted web content, to disclose
        cross-origin data. (CVE-2017-2365)
    
      - A heap buffer overflow condition exists in the
        mach_voucher_extract_attr_recipe_trap() function due to
        improper validation of certain unspecified input. A
        local attacker can exploit this, via a specially
        crafted application, to cause a denial of service
        condition or the execution of arbitrary code with
        kernel privileges. (CVE-2017-2370)
    
    Note that only 4th generation models are affected by these
    vulnerabilities.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT207485");
      # https://lists.apple.com/archives/security-announce/2017/Jan/msg00005.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f1c5d4b2");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple TV version 10.1.1 or later. Note that this update is
    only available for 4th generation models.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2370");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/30");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("appletv_version.nasl");
      script_require_keys("AppleTV/Version", "AppleTV/Model", "AppleTV/URL", "AppleTV/Port");
      script_require_ports("Services/www", 7000);
    
      exit(0);
    }
    
    include("audit.inc");
    include("appletv_func.inc");
    
    url = get_kb_item('AppleTV/URL');
    if (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');
    port = get_kb_item('AppleTV/Port');
    if (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');
    
    build = get_kb_item('AppleTV/Version');
    if (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');
    
    model = get_kb_item('AppleTV/Model');
    if (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');
    
    fixed_build = "14U712a";
    tvos_ver = '10.1.1';
    
    # determine gen from the model
    gen = APPLETV_MODEL_GEN[model];
    
    appletv_check_version(
      build          : build,
      fix            : fixed_build,
      affected_gen   : 4,
      fix_tvos_ver   : tvos_ver,
      model          : model,
      gen            : gen,
      port           : port,
      url            : url,
      severity       : SECURITY_HOLE
    );
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_10_12_3.NASL
    descriptionThe remote host is running a version of macOS that is 10.12.x prior to 10.12.3. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - Bluetooth - Graphics Drivers - Help Viewer - IOAudioFamily - Kernel - libarchive - Vim - WebKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id96731
    published2017-01-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96731
    titlemacOS 10.12.x < 10.12.3 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96731);
      script_version("1.4");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2016-1248",
        "CVE-2016-8670",
        "CVE-2016-8687",
        "CVE-2016-9933",
        "CVE-2016-9934",
        "CVE-2017-2353",
        "CVE-2017-2357",
        "CVE-2017-2358",
        "CVE-2017-2360",
        "CVE-2017-2361",
        "CVE-2017-2370",
        "CVE-2017-2371"
      );
      script_bugtraq_id(
        93594,
        93781,
        94478,
        94845,
        94865,
        95723,
        95729,
        95731,
        95735
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2017-01-23-2");
    
      script_name(english:"macOS 10.12.x < 10.12.3 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of macOS.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a macOS update that fixes multiple security
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of macOS that is 10.12.x prior to
    10.12.3. It is, therefore, affected by multiple vulnerabilities in the
    following components :
    
      - apache_mod_php
      - Bluetooth
      - Graphics Drivers
      - Help Viewer
      - IOAudioFamily
      - Kernel
      - libarchive
      - Vim
      - WebKit
    
    Note that successful exploitation of the most serious issues can
    result in arbitrary code execution.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT207483");
      # https://lists.apple.com/archives/security-announce/2017/Jan/msg00003.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?83c658ec");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to macOS version 10.12.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2370");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/24");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
      script_require_ports("Host/MacOSX/Version", "Host/OS");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "macOS / Mac OS X");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) audit(AUDIT_OS_NOT, "macOS / Mac OS X");
    
    matches = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]+)+)", string:os);
    if (isnull(matches)) exit(1, "Failed to parse the macOS / Mac OS X version ('" + os + "').");
    
    version = matches[1];
    if (version !~ "^10\.12($|[^0-9])") audit(AUDIT_OS_NOT, "Mac OS 10.12.x");
    
    fixed_version = "10.12.3";
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      security_report_v4(
        port:0,
        severity:SECURITY_HOLE,
        xss:TRUE,
        extra:
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fixed_version +
          '\n'
      );
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "macOS / Mac OS X", version);