cbcvebase.
CVE-2014-4492
published 2015-01-30

CVE-2014-4492: libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
19.73%
97.1th percentile
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.

Affected

6 ranges
VendorProductVersion rangeFixed in
appleapple_tv
appleios
appleiphone_os<= 8.1.2
applemac_os_x<= 10.10.1
appleos_x_yosemite_v10.10.2_and_security_update_2015-001
appletvos<= 7.0.1

Detection & IOCsextracted from sources · hover to see the quote

commandtouch /tmp/hello_networkd
path/tmp/hello_networkd
othereffective_audit_token (XPC uuid type confusion key)
otherXPC message key: heap_spray
otherXPC message key: type = 6
otherXPC message key: connection_id = 1
otheruuid bytes: {0, 0x120200000}
otherCoreFoundation ROP gadget offset: 0x46ef0
otherCoreFoundation ROP gadget offset: 0x46ef7
otherCoreFoundation ROP gadget offset: 0x2226 (pop rdi; pop rbp; ret)
process_networkd
  • Alert on creation of /tmp/hello_networkd, which is the proof-of-concept payload artifact written by the exploit via the system() call in the _networkd context.
  • Monitor for sandboxed processes sending XPC messages to _networkd with a 'type' key of uint64 value 6 and a 'connection_id' key, which is the exploit's trigger message structure.
  • Detect heap spray patterns: XPC data payloads of size 0x40000 pages (0x40000 * 0x1000 = 256 MB) sent to _networkd in a single message.
  • Flag XPC dictionary messages to _networkd where 'effective_audit_token' is set as a UUID type rather than the expected data/audit_token type — this is the core type confusion trigger.
  • Look for a 1023-byte all-'A' key string in XPC dictionaries sent to _networkd, used by the exploit as part of the malicious parameters dictionary.
  • ·The exploit requires the Lorgnette library (liblorgnette) to resolve symbols at runtime; detection of lorgnette.c compilation artifacts or the lorgnette_lookup symbol in a process image may indicate exploit tooling.
  • ·The vulnerability affects libnetcore across Apple iOS before 8.1.3, OS X before 10.10.2, and Apple TV before 7.0.3; patched versions are not vulnerable to this XPC type confusion attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.