CVE-2014-4492
published 2015-01-30CVE-2014-4492: libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type…
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
19.73%
97.1th percentile
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | apple_tv | — | — |
| apple | ios | — | — |
| apple | iphone_os | <= 8.1.2 | — |
| apple | mac_os_x | <= 10.10.1 | — |
| apple | os_x_yosemite_v10.10.2_and_security_update_2015-001 | — | — |
| apple | tvos | <= 7.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on creation of /tmp/hello_networkd, which is the proof-of-concept payload artifact written by the exploit via the system() call in the _networkd context. ↗
- →Monitor for sandboxed processes sending XPC messages to _networkd with a 'type' key of uint64 value 6 and a 'connection_id' key, which is the exploit's trigger message structure. ↗
- →Detect heap spray patterns: XPC data payloads of size 0x40000 pages (0x40000 * 0x1000 = 256 MB) sent to _networkd in a single message. ↗
- →Flag XPC dictionary messages to _networkd where 'effective_audit_token' is set as a UUID type rather than the expected data/audit_token type — this is the core type confusion trigger. ↗
- →Look for a 1023-byte all-'A' key string in XPC dictionaries sent to _networkd, used by the exploit as part of the malicious parameters dictionary. ↗
- ·The exploit requires the Lorgnette library (liblorgnette) to resolve symbols at runtime; detection of lorgnette.c compilation artifacts or the lorgnette_lookup symbol in a process image may indicate exploit tooling. ↗
- ·The vulnerability affects libnetcore across Apple iOS before 8.1.3, OS X before 10.10.2, and Apple TV before 7.0.3; patched versions are not vulnerable to this XPC type confusion attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2014-4492: Apple TV 7.0.3
vendor_apple·CVSS 7.5
CVE-2014-4492 [HIGH] CVE-2014-4492: Apple TV 7.0.3
Apple Security Update: About the security content of Apple TV 7.0.3
Product: Apple TV
Version: 7.0.3
CVE: CVE-2014-4492
Component: CVE-ID
Apple
CVE-2014-4492: iOS 8.1.3
vendor_apple·CVSS 7.5
CVE-2014-4492 [HIGH] CVE-2014-4492: iOS 8.1.3
Apple Security Update: About the security content of iOS 8.1.3
Product: iOS
Version: 8.1.3
CVE: CVE-2014-4492
Component: CVE-ID
Apple
CVE-2014-4492: OS X Yosemite v10.10.2 and Security Update 2015-001
vendor_apple·CVSS 7.5
CVE-2014-4492 [HIGH] CVE-2014-4492: OS X Yosemite v10.10.2 and Security Update 2015-001
Apple Security Update: About the security content of OS X Yosemite v10.10.2 and Security Update 2015-001
Product: OS X Yosemite v10.10.2 and Security Update 2015-001
CVE: CVE-2014-4492
Component: CVE-ID
GHSA
GHSA-6qx2-6p7g-rvh5: libnetcore in Apple iOS before 8
ghsa_unreviewed·2022-05-14
CVE-2014-4492 [HIGH] GHSA-6qx2-6p7g-rvh5: libnetcore in Apple iOS before 8
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.
No detection rules found.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://packetstormsecurity.com/files/134393/Mac-OS-X-Networkd-XPC-Type-Confusion-Sandbox-Escape.htmlhttp://support.apple.com/HT204244http://support.apple.com/HT204245http://support.apple.com/HT204246http://www.exploit-db.com/exploits/35847http://www.osvdb.org/114862https://code.google.com/p/google-security-research/issues/detail?id=92http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://packetstormsecurity.com/files/134393/Mac-OS-X-Networkd-XPC-Type-Confusion-Sandbox-Escape.htmlhttp://support.apple.com/HT204244http://support.apple.com/HT204245http://support.apple.com/HT204246http://www.exploit-db.com/exploits/35847http://www.osvdb.org/114862https://code.google.com/p/google-security-research/issues/detail?id=92
2015-01-30
Published