Vulnerabilities > CVE-2017-2516 - Unspecified vulnerability in Apple mac OS X
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
Vulnerable Configurations
Exploit-Db
description | Apple macOS - 'stackshot' Raw Frame Pointers. CVE-2017-2516. Dos exploit for macOS platform |
file | exploits/macos/dos/42047.txt |
id | EDB-ID:42047 |
last seen | 2017-05-22 |
modified | 2017-05-22 |
platform | macos |
port | |
published | 2017-05-22 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/42047/ |
title | Apple macOS - 'stackshot' Raw Frame Pointers |
type | dos |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD_10_11_6_2017-002__10_10_5_2017-002.NASL description The remote host is running a version of Mac OS X 10.10.5 or 10.11.6 that is missing a security update. It is therefore, affected by multiple vulnerabilities : - A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox. (CVE-2017-2512) - An information disclosure vulnerability exists in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2516) - An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524) - A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527) - A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533) - A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox. (CVE-2017-2535) - Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges. (CVE-2017-2537, CVE-2017-2548) - An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540) - A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer. (CVE-2017-2541) - A memory corruption issue exists in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2546) - A race condition exists in the IOSurface component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-6979) - An information disclosure vulnerability exists in HFS component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-6990) last seen 2020-06-01 modified 2020-06-02 plugin id 100271 published 2017-05-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100271 title Mac OS X Multiple Vulnerabilities (Security Update 2017-002) NASL family MacOS X Local Security Checks NASL id MACOS_10_12_5.NASL description The remote host is running a version of macOS that is 10.12.x prior to 10.12.5. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2494, CVE-2017-2546) - A state management flaw exists in the iBooks component due to improper handling of URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted book, to open arbitrary websites without user permission. (CVE-2017-2497) - A local privilege escalation vulnerability exists in the Kernel component due to a race condition. A local attacker can exploit this to execute arbitrary code with kernel-level privileges. (CVE-2017-2501) - An information disclosure vulnerability exists in the CoreAudio component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2502) - A memory corruption issue exists in the Intel graphics driver component that allows a local attacker to execute arbitrary code with kernel-level privileges. CVE-2017-2503) - Multiple information disclosure vulnerabilities exist in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit these to read the contents of restricted memory. (CVE-2017-2507, CVE-2017-2509, CVE-2017-2516, CVE-2017-6987) - A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox. (CVE-2017-2512) - A use-after-free error exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2513) - Multiple buffer overflow conditions exist in the SQLite component due to the improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2518, CVE-2017-2520) - A memory corruption issue exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2519) - An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524) - A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527) - A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533) - An unspecified flaw exists in the Speech Framework that allows a local attacker to escape an application sandbox. (CVE-2017-2534) - A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox. (CVE-2017-2535) - Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges. (CVE-2017-2537, CVE-2017-2548) - An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540) - A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer. (CVE-2017-2541) - Multiple memory corruption issues exist in the Multi-Touch component that allow a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2542, CVE-2017-2543) - A use-after-free error exists in the IOGraphic component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2545) - A flaw exists in the Speech Framework, specifically within the speechsynthesisd service, due to improper validation of unsigned dynamic libraries (.dylib) before being loaded. A local attacker can exploit this to bypass the application last seen 2020-06-01 modified 2020-06-02 plugin id 100270 published 2017-05-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100270 title macOS 10.12.x < 10.12.5 Multiple Vulnerabilities
Seebug
bulletinFamily | exploit |
description | This is an issue that allows unentitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug. By design, the syscall stack_snapshot_with_config() permits unentitled root to dump information about all user stacks and kernel stacks. While a target thread, along with the rest of the system, is frozen, machine_trace_thread64() dumps its kernel stack. machine_trace_thread64() walks up the kernel stack using the chain of saved RBPs. It dumps the unslid kernel text pointers together with unobfuscated frame pointers. The attached PoC dumps a stackshot into the file stackshot_data.bin when executed as root. The stackshot contains data like this: ``` 00000a70 de 14 40 00 80 ff ff ff a0 be 08 77 80 ff ff ff |[email protected]....| 00000a80 7b b8 30 00 80 ff ff ff 20 bf 08 77 80 ff ff ff |{.0..... ..w....| 00000a90 9e a6 30 00 80 ff ff ff 60 bf 08 77 80 ff ff ff |..0.....`..w....| 00000aa0 5d ac 33 00 80 ff ff ff b0 bf 08 77 80 ff ff ff |].3........w....| ``` The addresses on the left are unslid kernel text pointers; the addresses on the right are valid kernel stack pointers. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42047.zip |
id | SSV:93161 |
last seen | 2017-11-19 |
modified | 2017-05-27 |
published | 2017-05-27 |
reporter | Root |
title | Apple macOS - 'stackshot' Raw Frame Pointers(CVE-2017-2516) |