CVE-2014-4404
published 2014-09-18CVE-2014-4404: Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
49.05%
98.7th percentile
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | < 8.0 | 8.0 |
| apple | mac_os_x | < 10.10.0 | 10.10.0 |
| apple | mac_os_x | >= 10.10.1 < 10.10.3 | 10.10.3 |
| apple | os_x_yosemite_v10.10.3_and_security_update_2015-004 | — | — |
| apple | tvos | < 7.0 | 7.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of randomly-named executable files in /tmp/ (12-char lowercase alpha pattern) followed by chmod +x and execution — characteristic of the Metasploit exploit module for CVE-2014-4404. ↗
- →Detect privilege escalation attempts via IOHIKeyboardMapper::parseKeyMapping heap overflow; look for unprivileged processes spawning privileged children on macOS 10.9.x (Mavericks) and earlier. ↗
- →Alert on execution of sw_vers from within a shell or meterpreter session context, which is used by the exploit module to fingerprint the OS version before proceeding. ↗
- →The exploit targets Mac OS X 10.9.5 Mavericks x64 specifically; systems running versions prior to 10.10 (Yosemite) should be treated as vulnerable and monitored for IOKit-related kernel anomalies. ↗
- →The exploit abuses the IORegistry to leak kernel pointers for a full kASLR bypass; monitor for unusual IORegistry access patterns from user-space processes. ↗
- ·The Metasploit module targets only Mac OS X 10.9.5 Mavericks x64 as the default target; the exploit binary 'key_exploit' must be pre-staged in the Metasploit data directory. ↗
- ·The module checks for OS version < 10.10 before proceeding; systems running Yosemite (10.10) or later are marked Safe and the exploit will not execute. ↗
- ·The CVE also affects Apple iOS before 8 and Apple TV before 7 via crafted key-mapping properties, not only macOS; the Metasploit module covers only the macOS local privilege escalation vector. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple OS X Heap-Based Buffer Overflow Vulnerability
cisa·2022-02-10·CVSS 7.8
CVE-2014-4404 [HIGH] CWE-119 Apple OS X Heap-Based Buffer Overflow Vulnerability
Vulnerability: Apple OS X Heap-Based Buffer Overflow Vulnerability
Affected: Apple OS X
Heap-based buffer overflow in IOHIDFamily in Apple OS X, which affects, iOS before 8 and Apple TV before 7, allows attackers to execute arbitrary code in a privileged context.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-4404
Remediation Due Date: 2022-08-10
Apple
CVE-2014-4404: OS X Yosemite v10.10.3 and Security Update 2015-004
vendor_apple·CVSS 7.8
CVE-2014-4404 [HIGH] CVE-2014-4404: OS X Yosemite v10.10.3 and Security Update 2015-004
Apple Security Update: About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Product: OS X Yosemite v10.10.3 and Security Update 2015-004
CVE: CVE-2014-4404
Component: CVE-ID
GHSA
GHSA-frxp-ch88-g8fc: Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged conte
ghsa_unreviewed·2022-05-14
CVE-2014-4404 [HIGH] CWE-119 GHSA-frxp-ch88-g8fc: Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged conte
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.
Project0
More Mac OS X and iPhone sandbox escapes and kernel bugs - Project Zero
project_zero·2014-10-01·CVSS 6.9
CVE-2014-4376 [MEDIUM] More Mac OS X and iPhone sandbox escapes and kernel bugs - Project Zero
Posted by Ian Beer
A couple of weeks ago Apple released OS X 10.9.5 and iOS 8 which fixed a number of sandbox escapes and privilege escalation bugs found by Project Zero. All-bar-one of these bugs were found via manual source code auditing where there was source and binary analysis where there wasn’t. As always, click through the bugs for proof-of-concept code and further details:
CVE-2014-4403* [ https://code.google.com/p/google-security-research/issues/detail?id=23 ] was as issue allowing a kernel ASLR bypass on OS X due to insufficient randomization of very early kernel heap allocations, the addresses of which could be leaked using the unprivileged SGDT instruction. This bug could be exploited from within any sandbox on OS X and allowed an attacker to determine the load address of t
VulnCheck
Apple OS X Heap-Based Buffer Overflow Vulnerability
vulncheck·2014·CVSS 7.8
CVE-2014-4404 [HIGH] CWE-119 Apple OS X Heap-Based Buffer Overflow Vulnerability
Apple OS X Heap-Based Buffer Overflow Vulnerability
Heap-based buffer overflow in IOHIDFamily in Apple OS X, which affects, iOS before 8 and Apple TV before 7, allows attackers to execute arbitrary code in a privileged context.
Affected: Apple MacOS X
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-08-10
No detection rules found.
Exploit-DB
Apple Mac OSX - IOKit Keyboard Driver Privilege Escalation (Metasploit)
exploitdb·2014-12-02
CVE-2014-4404 Apple Mac OSX - IOKit Keyboard Driver Privilege Escalation (Metasploit)
Apple Mac OSX - IOKit Keyboard Driver Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',
'Description' => %q{
A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory
corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel
pointers can also be leaked, allowing a full kASLR bypass.
Tested on Mavericks 10.9.5, and should work on previous versions.
The issue has been patched silently in Yosemite.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ian Beer', # discovery, advisory, publication, and a most excellent blog po
Metasploit
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
metasploit
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue was patched silently in Yosemite.
http://archives.neohapsis.com/archives/bugtraq/2014-09/0106.htmlhttp://archives.neohapsis.com/archives/bugtraq/2014-09/0107.htmlhttp://archives.neohapsis.com/archives/bugtraq/2014-10/0101.htmlhttp://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://support.apple.com/kb/HT6441http://support.apple.com/kb/HT6442http://www.securityfocus.com/bid/69882http://www.securityfocus.com/bid/69947http://www.securitytracker.com/id/1030866https://exchange.xforce.ibmcloud.com/vulnerabilities/96111https://support.apple.com/HT204659https://support.apple.com/kb/HT6535http://archives.neohapsis.com/archives/bugtraq/2014-09/0106.htmlhttp://archives.neohapsis.com/archives/bugtraq/2014-09/0107.htmlhttp://archives.neohapsis.com/archives/bugtraq/2014-10/0101.htmlhttp://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://support.apple.com/kb/HT6441http://support.apple.com/kb/HT6442http://www.securityfocus.com/bid/69882http://www.securityfocus.com/bid/69947http://www.securitytracker.com/id/1030866https://exchange.xforce.ibmcloud.com/vulnerabilities/96111https://support.apple.com/HT204659https://support.apple.com/kb/HT6535https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-4404
2014-09-18
Published
2022-02-10
Added to CISA KEV
Exploited in the wild