CVE-2014-8835
published 2015-01-30CVE-2014-8835: The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.25%
94.2th percentile
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | os_x_yosemite_v10.10.2_and_security_update_2015-001 | — | — |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.16 | 5.5.9+dfsg-1ubuntu4.16 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor XPC messages sent to com.apple.sysmond where the 'Attributes' key contains a non-xpc_data type (e.g., xpc_uuid) — this is the type confusion trigger for CVE-2014-8835. ↗
- →Detect large XPC heap spray activity targeting sysmond: an attacker maps approximately a gigabyte of data into sysmond at a predictable address via an xpc_data object in the request dictionary. ↗
- →Look for unprivileged processes sending crafted XPC dictionaries to sysmond (root daemon) with an 'Attributes' key of type xpc_uuid rather than xpc_data, which is the exploitation primitive. ↗
- →Alert on processes spawning from or injecting into sysmond on OS X 10.9.x / pre-10.10.2, as successful exploitation results in arbitrary code execution as root via XPC type confusion. ↗
- →Flag use of liblorgnette (private symbol resolution library) alongside XPC communication to sysmond, as the public PoC exploit depends on it to resolve private symbols. ↗
- ·The public PoC exploit contains hard-coded offsets specific to OS X 10.9.5; exploitation against other OS X versions requires offset adjustments. ↗
- ·The vulnerability is patched in OS X Yosemite v10.10.2 and Security Update 2015-001; systems running these or later versions are not affected. ↗
- ·The exploit's heap-layout manipulation (placing xpc_uuid immediately before its linked-list entry) relies on magazine malloc's small size class 512-byte alignment, making it allocator-version dependent. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m5mx-j3w4-7q93: The xpc_data_get_bytes function in libxpc in Apple OS X before 10
ghsa_unreviewed·2022-05-17
CVE-2014-8835 [HIGH] GHSA-m5mx-j3w4-7q93: The xpc_data_get_bytes function in libxpc in Apple OS X before 10
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
OSV
php5 vulnerabilities
osv·2016-04-21·CVSS 4.3
CVE-2014-9767 php5 vulnerabilities
php5 vulnerabilities
It was discovered that the PHP Zip extension incorrectly handled
directories when processing certain zip files. A remote attacker could
possibly use this issue to create arbitrary directories. (CVE-2014-9767)
It was discovered that the PHP Soap client incorrectly validated data
types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-8835, CVE-2016-3185)
It was discovered that the PHP MySQL native driver incorrectly handled TLS
connections to MySQL databases. A machine-in-the-middle attacker could possibly
use this issue to downgrade and snoop on TLS connections. This
vulnerability is known as BACKRONYM. (CVE-2015-8838)
It was discovered that PHP incorrectly handled the imag
Apple
CVE-2014-8835: OS X Yosemite v10.10.2 and Security Update 2015-001
vendor_apple·CVSS 9.3
CVE-2014-8835 [CRITICAL] CVE-2014-8835: OS X Yosemite v10.10.2 and Security Update 2015-001
Apple Security Update: About the security content of OS X Yosemite v10.10.2 and Security Update 2015-001
Product: OS X Yosemite v10.10.2 and Security Update 2015-001
CVE: CVE-2014-8835
Component: CVE-ID
No detection rules found.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://packetstormsecurity.com/files/135701/OS-X-Sysmond-XPC-Type-Confusion-Privilege-Escalation.htmlhttp://support.apple.com/HT204244http://www.exploit-db.com/exploits/35742/http://www.securityfocus.com/bid/71992http://www.securitytracker.com/id/1031650https://code.google.com/p/google-security-research/issues/detail?id=121https://exchange.xforce.ibmcloud.com/vulnerabilities/100530http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://packetstormsecurity.com/files/135701/OS-X-Sysmond-XPC-Type-Confusion-Privilege-Escalation.htmlhttp://support.apple.com/HT204244http://www.exploit-db.com/exploits/35742/http://www.securityfocus.com/bid/71992http://www.securitytracker.com/id/1031650https://code.google.com/p/google-security-research/issues/detail?id=121https://exchange.xforce.ibmcloud.com/vulnerabilities/100530
2015-01-30
Published