cbcvebase.
CVE-2014-8835
published 2015-01-30

CVE-2014-8835: The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.25%
94.2th percentile
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
appleos_x_yosemite_v10.10.2_and_security_update_2015-001
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.165.5.9+dfsg-1ubuntu4.16

Detection & IOCsextracted from sources · hover to see the quote

othercom.apple.sysmond
processsysmond
  • Monitor XPC messages sent to com.apple.sysmond where the 'Attributes' key contains a non-xpc_data type (e.g., xpc_uuid) — this is the type confusion trigger for CVE-2014-8835.
  • Detect large XPC heap spray activity targeting sysmond: an attacker maps approximately a gigabyte of data into sysmond at a predictable address via an xpc_data object in the request dictionary.
  • Look for unprivileged processes sending crafted XPC dictionaries to sysmond (root daemon) with an 'Attributes' key of type xpc_uuid rather than xpc_data, which is the exploitation primitive.
  • Alert on processes spawning from or injecting into sysmond on OS X 10.9.x / pre-10.10.2, as successful exploitation results in arbitrary code execution as root via XPC type confusion.
  • Flag use of liblorgnette (private symbol resolution library) alongside XPC communication to sysmond, as the public PoC exploit depends on it to resolve private symbols.
  • ·The public PoC exploit contains hard-coded offsets specific to OS X 10.9.5; exploitation against other OS X versions requires offset adjustments.
  • ·The vulnerability is patched in OS X Yosemite v10.10.2 and Security Update 2015-001; systems running these or later versions are not affected.
  • ·The exploit's heap-layout manipulation (placing xpc_uuid immediately before its linked-list entry) relies on magazine malloc's small size class 512-byte alignment, making it allocator-version dependent.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.