CVE-2015-7047
published 2015-12-11CVE-2015-7047: The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges via a crafted mach…
PriorityP334high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.00%
58.3th percentile
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges via a crafted mach message that is misparsed.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 9.1 | — |
| apple | mac_os_x | <= 10.11.1 | — |
| apple | os_x_el_capitan_10.11.2_security_update_2015-005_yosemite_and_security_update_20 | — | — |
| apple | tvos | <= 9.0 | — |
| apple | tvos | — | — |
| apple | watchos | <= 2.0 | — |
| apple | watchos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2015-7047: watchOS 2.1
vendor_apple·CVSS 7.2
CVE-2015-7047 [HIGH] CVE-2015-7047: watchOS 2.1
Apple Security Update: About the security content of watchOS 2.1
Product: watchOS
Version: 2.1
CVE: CVE-2015-7047
Component: CVE-ID
Apple
CVE-2015-7047: tvOS 9.1
vendor_apple·CVSS 7.2
CVE-2015-7047 [HIGH] CVE-2015-7047: tvOS 9.1
Apple Security Update: About the security content of tvOS 9.1
Product: tvOS
Version: 9.1
CVE: CVE-2015-7047
Component: CVE-ID
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.
Apple
CVE-2015-7047: iOS 9.2
vendor_apple·CVSS 7.2
CVE-2015-7047 [HIGH] CVE-2015-7047: iOS 9.2
Apple Security Update: About the security content of iOS 9.2
Product: iOS
Version: 9.2
CVE: CVE-2015-7047
Component: CVE-ID
Apple
CVE-2015-7047: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
vendor_apple·CVSS 7.2
CVE-2015-7047 [HIGH] CVE-2015-7047: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
Product: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
CVE: CVE-2015-7047
Component: CVE-ID
Impact: A local user may be able to execute arbitrary code with kernel privileges
Description: A validation issue existed during the loading of kernel extensions. This issue was addressed through additional verification.
GHSA
GHSA-h498-6fjm-8x65: The kernel in Apple iOS before 9
ghsa_unreviewed·2022-05-14
CVE-2015-7047 [HIGH] CWE-20 GHSA-h498-6fjm-8x65: The kernel in Apple iOS before 9
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges via a crafted mach message that is misparsed.
No detection rules found.
Exploit-DB
Apple Mac OSX / iOS - Unsandboxable Kernel Use-After-Free in Mach Vouchers
exploitdb·2016-01-28
CVE-2015-7047 Apple Mac OSX / iOS - Unsandboxable Kernel Use-After-Free in Mach Vouchers
Apple Mac OSX / iOS - Unsandboxable Kernel Use-After-Free in Mach Vouchers
---
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=553
The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages.
ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports.
If the msgh_id of the message can't be found in the mig_buckets hash table then this function
calls ipc_kobject_notify. Note that this is the same code path which would be taken for a
real no-more-senders notification message but there's nothing stopping user-space from
also just sending one.
ipc_kobject_notify calls the correct notification method for the type of the KOBJECT associated with the port:
boolean_t
ipc_kobject_notify(
mach_msg_header_t *reque
Exploit-DB
Apple Mac OSX Kernel - no-more-senders Use-After-Free
exploitdb·2016-01-28
CVE-2015-7047 Apple Mac OSX Kernel - no-more-senders Use-After-Free
Apple Mac OSX Kernel - no-more-senders Use-After-Free
---
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=567
Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications
Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2
*/
// ianbeer
/*
Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications
*/
#include
#include
#include
#include
#include
#include
#include
#include
io_connect_t conn = MACH_PORT_NULL;
int start = 0;
struct spoofed_notification {
mach_msg_header_t header;
NDR_record_t NDR;
mach_msg_type_number_t no_senders_count;
};
struct spoofed_notification msg = {0};
void send_message() {
mach_msg(&msg,
MACH_SEND_MSG,
msg.header.msgh_size,
Exploit-DB
Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free
exploitdb·2016-01-28
CVE-2015-7047 Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free
Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free
---
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=565
Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications
repro: while true; do ./iospoof_ig_4; done
Likely to crash in various ways; have observed NULL derefs and NX traps.
Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2
*/
// ianbeer
// clang -o iospoof_ig_4 iospoof_ig_4.c -framework IOKit
/*
Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications
repro: while true; do ./iospoof_ig_4; done
*/
#include
#include
#include
#include
#include
#include
#include
io_connect_t conn = MACH_PORT_NULL;
int start = 0;
struct spoofed_notification {
mach_msg_header_t h
Exploit-DB
Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free
exploitdb·2016-01-28
CVE-2015-7047 Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free
Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free
---
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=566
Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications
repro: while true; do ./iospoof_ig_7; done
Tested on ElCapitan 10.11 (15a284) on MacBookAir 5,2
*/
// ianbeer
// clang -o iospoof_ig_7 iospoof_ig_7.c -framework IOKit
/*
Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications
repro: while true; do ./iospoof_ig_7; done
*/
#include
#include
#include
#include
#include
#include
#include
io_connect_t conn = MACH_PORT_NULL;
int start = 0;
struct spoofed_notification {
mach_msg_header_t header;
NDR_record_t NDR;
mach_msg_type_number_t no_senders_count;
};
struct spo
Exploit-DB
Apple Mac OSX - IOBluetoothHCIPacketLogUserClient Memory Corruption
exploitdb·2016-01-28
CVE-2015-7047 Apple Mac OSX - IOBluetoothHCIPacketLogUserClient Memory Corruption
Apple Mac OSX - IOBluetoothHCIPacketLogUserClient Memory Corruption
---
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=572
The OS* data types (OSArray etc) are explicity not thread safe; they rely on their callers to implement the required locking
to serialize all accesses and manipulations of them. By sending two spoofed no-more-senders notifications on two threads at the
same time we can cause parallel calls to OSArray::removeObject with no locks which is unsafe. In this particular case you might see two threads
both passing the index >= count check in OSArray::removeObject (when count = 1 and index = 0) but then both decrementing count leading to an OSArray with
a count of 0xffffffff leading to memory corruption when trying to shift the array contents.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlhttp://www.securityfocus.com/bid/78719http://www.securitytracker.com/id/1034344https://support.apple.com/HT205635https://support.apple.com/HT205637https://support.apple.com/HT205640https://support.apple.com/HT205641https://www.exploit-db.com/exploits/39371/https://www.exploit-db.com/exploits/39373/https://www.exploit-db.com/exploits/39374/https://www.exploit-db.com/exploits/39375/http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlhttp://www.securityfocus.com/bid/78719http://www.securitytracker.com/id/1034344https://support.apple.com/HT205635https://support.apple.com/HT205637https://support.apple.com/HT205640https://support.apple.com/HT205641https://www.exploit-db.com/exploits/39371/https://www.exploit-db.com/exploits/39373/https://www.exploit-db.com/exploits/39374/https://www.exploit-db.com/exploits/39375/
2015-12-11
Published