cbcvebase.
CVE-2014-4404
published 2014-09-18

CVE-2014-4404: Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
49.05%
98.7th percentile
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.

Affected

5 ranges
VendorProductVersion rangeFixed in
appleiphone_os< 8.08.0
applemac_os_x< 10.10.010.10.0
applemac_os_x>= 10.10.1 < 10.10.310.10.3
appleos_x_yosemite_v10.10.3_and_security_update_2015-004
appletvos< 7.07.0

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2014-4404/key_exploit
commandchmod +x <exploit_file> && chmod +x <payload_file> && <exploit_file> <payload_file>
commandsw_vers -productVersion
  • Monitor for creation of randomly-named executable files in /tmp/ (12-char lowercase alpha pattern) followed by chmod +x and execution — characteristic of the Metasploit exploit module for CVE-2014-4404.
  • Detect privilege escalation attempts via IOHIKeyboardMapper::parseKeyMapping heap overflow; look for unprivileged processes spawning privileged children on macOS 10.9.x (Mavericks) and earlier.
  • Alert on execution of sw_vers from within a shell or meterpreter session context, which is used by the exploit module to fingerprint the OS version before proceeding.
  • The exploit targets Mac OS X 10.9.5 Mavericks x64 specifically; systems running versions prior to 10.10 (Yosemite) should be treated as vulnerable and monitored for IOKit-related kernel anomalies.
  • The exploit abuses the IORegistry to leak kernel pointers for a full kASLR bypass; monitor for unusual IORegistry access patterns from user-space processes.
  • ·The Metasploit module targets only Mac OS X 10.9.5 Mavericks x64 as the default target; the exploit binary 'key_exploit' must be pre-staged in the Metasploit data directory.
  • ·The module checks for OS version < 10.10 before proceeding; systems running Yosemite (10.10) or later are marked Safe and the exploit will not execute.
  • ·The CVE also affects Apple iOS before 8 and Apple TV before 7 via crafted key-mapping properties, not only macOS; the Metasploit module covers only the macOS local privilege escalation vector.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.