Vulnerabilities > CVE-2017-2509 - Unspecified vulnerability in Apple mac OS X
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
Vulnerable Configurations
Exploit-Db
description | Apple macOS - '32-bit syscall exit' Kernel Register Leak. CVE-2017-2509. Dos exploit for macOS platform |
file | exploits/macos/dos/42046.txt |
id | EDB-ID:42046 |
last seen | 2017-05-22 |
modified | 2017-05-22 |
platform | macos |
port | |
published | 2017-05-22 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/42046/ |
title | Apple macOS - '32-bit syscall exit' Kernel Register Leak |
type | dos |
Nessus
NASL family | MacOS X Local Security Checks |
NASL id | MACOS_10_12_5.NASL |
description | The remote host is running a version of macOS that is 10.12.x prior to 10.12.5. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2494, CVE-2017-2546) - A state management flaw exists in the iBooks component due to improper handling of URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted book, to open arbitrary websites without user permission. (CVE-2017-2497) - A local privilege escalation vulnerability exists in the Kernel component due to a race condition. A local attacker can exploit this to execute arbitrary code with kernel-level privileges. (CVE-2017-2501) - An information disclosure vulnerability exists in the CoreAudio component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2502) - A memory corruption issue exists in the Intel graphics driver component that allows a local attacker to execute arbitrary code with kernel-level privileges. CVE-2017-2503) - Multiple information disclosure vulnerabilities exist in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit these to read the contents of restricted memory. (CVE-2017-2507, CVE-2017-2509, CVE-2017-2516, CVE-2017-6987) - A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox. (CVE-2017-2512) - A use-after-free error exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2513) - Multiple buffer overflow conditions exist in the SQLite component due to the improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2518, CVE-2017-2520) - A memory corruption issue exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2519) - An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524) - A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527) - A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533) - An unspecified flaw exists in the Speech Framework that allows a local attacker to escape an application sandbox. (CVE-2017-2534) - A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox. (CVE-2017-2535) - Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges. (CVE-2017-2537, CVE-2017-2548) - An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540) - A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer. (CVE-2017-2541) - Multiple memory corruption issues exist in the Multi-Touch component that allow a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2542, CVE-2017-2543) - A use-after-free error exists in the IOGraphic component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2545) - A flaw exists in the Speech Framework, specifically within the speechsynthesisd service, due to improper validation of unsigned dynamic libraries (.dylib) before being loaded. A local attacker can exploit this to bypass the application |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 100270 |
published | 2017-05-18 |
reporter | This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/100270 |
title | macOS 10.12.x < 10.12.5 Multiple Vulnerabilities |
Seebug
bulletinFamily | exploit |
description | The XNU kernel, when compiled for a x86-64 CPU, can run 32-bit x86 binaries in compatibility mode. 32-bit binaries use partly separate syscall entry and exit paths. To return to userspace, unix_syscall() in bsd/dev/i386/systemcalls.c calls thread_exception_return() (in osfmk/x86_64/locore.s), which in turn calls return_from_trap, which is implemented in osfmk/x86_64/idt64.s. return_from_trap() normally branches into return_to_user relatively quickly, which then, depending on the stack segment selector, branches into either L_64bit_return or L_32bit_return. While the L_64bit_return path restores all userspace registers, the L_32bit_return path only restores the registers that are accessible in compatibility mode; the registers r8 to r15 are not restored. This is bad because, although switching to compatibility mode makes it impossible to directly access r8..r15, the register contents are preserved, and switching back to 64-bit mode makes the 64-bit registers accessible again. Since the GDT always contains user code segments for both compatibility mode and 64-bit mode, an unprivileged 32-bit process can leak kernel register contents as follows: * make a normal 32-bit syscall * switch to 64-bit mode (e.g. by loading the 64-bit user code segment using iret) * store the contents of r8..r15 * switch back to compatibility mode (e.g. by loading the 32-bit user code segment using iret) The attached PoC demonstrates the issue by dumping the contents of r8..r15. Usage: ``` $ ./leakregs r8 = 0xffffff801d3872a8 r9 = 0xffffff8112abbec8 r10 = 0xffffff801f962240 r11 = 0xffffff8031d52bb0 r12 = 0x12 r13 = 0xffffff80094018f0 r14 = 0xffffff801cb59ea0 r15 = 0xffffff801cb59ea0 ``` It seems like these are various types of kernel pointers, including kernel text pointers. If you want to compile the PoC yourself, you'll have to adjust the path to nasm in compile.sh, then run ./compile.sh. This bug was verified using the following kernel version: 15.6.0 Darwin Kernel Version 15.6.0: Mon Jan 9 23:07:29 PST 2017; root:xnu-3248.60.11.2.1~1/RELEASE_X86_64 x86_64 [leakkregs.tar](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=272661) |
id | SSV:93162 |
last seen | 2017-11-19 |
modified | 2017-05-27 |
published | 2017-05-27 |
reporter | Root |
title | Apple MacOS 32-Bit Syscall Exit Kernel Register Leak(CVE-2017-2509) |