CVE-2015-7084
published 2015-12-11CVE-2015-7084: The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges or cause a denial of…
PriorityP336high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.00%
58.3th percentile
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-7083.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 9.1 | — |
| apple | mac_os_x | <= 10.11.1 | — |
| apple | os_x_el_capitan_10.11.2_security_update_2015-005_yosemite_and_security_update_20 | — | — |
| apple | tvos | <= 9.0 | — |
| apple | tvos | — | — |
| apple | watchos | <= 2.0 | — |
| apple | watchos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2015-7084: watchOS 2.1
vendor_apple·CVSS 7.2
CVE-2015-7084 [HIGH] CVE-2015-7084: watchOS 2.1
Apple Security Update: About the security content of watchOS 2.1
Product: watchOS
Version: 2.1
CVE: CVE-2015-7084
Component: CVE-ID
Apple
CVE-2015-7084: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
vendor_apple·CVSS 7.2
CVE-2015-7084 [HIGH] CVE-2015-7084: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
Product: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
CVE: CVE-2015-7084
Component: CVE-ID
Apple
CVE-2015-7084: iOS 9.2
vendor_apple·CVSS 7.2
CVE-2015-7084 [HIGH] CVE-2015-7084: iOS 9.2
Apple Security Update: About the security content of iOS 9.2
Product: iOS
Version: 9.2
CVE: CVE-2015-7084
Component: CVE-ID
Apple
CVE-2015-7084: tvOS 9.1
vendor_apple·CVSS 7.2
CVE-2015-7084 [HIGH] CVE-2015-7084: tvOS 9.1
Apple Security Update: About the security content of tvOS 9.1
Product: tvOS
Version: 9.1
CVE: CVE-2015-7084
Component: CVE-ID
GHSA
GHSA-7j2w-p7wc-jm84: The kernel in Apple iOS before 9
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2015-7083 [HIGH] CWE-119 GHSA-7j2w-p7wc-jm84: The kernel in Apple iOS before 9
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-7084.
GHSA
GHSA-q2p3-q7m8-cm24: The kernel in Apple iOS before 9
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2015-7084 [HIGH] CWE-119 GHSA-q2p3-q7m8-cm24: The kernel in Apple iOS before 9
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-7083.
No detection rules found.
Exploit-DB
Apple Mac OSX / iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit
exploitdb·2016-01-28
CVE-2015-7084 Apple Mac OSX / iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit
Apple Mac OSX / iOS - Unsandboxable Kernel Code Exection Due to iokit Double Release in IOKit
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=620
I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC
which gets RIP on OS X. The same techniques should transfer smoothly to iOS :)
The bug is here:
void IORegistryIterator::reset( void )
{
while( exitEntry())
{}
if( done) {
done->release();
done = 0;
}
where->current = root;
options &= ~kIORegistryIteratorInvalidFlag;
}
We can call this from userspace via the IOIteratorReset method.
done is an OSOrderedSet* and we only hold one reference on it; therefore we can race two threads
to both see the same value of done, one will free it but before it sets done
Exploit-DB
Apple Mac OSX / iOS Kernel - iokit Registry Iterator Manipulation Double-Free
exploitdb·2016-01-28
CVE-2015-7084 Apple Mac OSX / iOS Kernel - iokit Registry Iterator Manipulation Double-Free
Apple Mac OSX / iOS Kernel - iokit Registry Iterator Manipulation Double-Free
---
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=598
The userspace MIG wrapper IORegistryIteratorExitEntry invokes the following kernel function:
kern_return_t is_io_registry_iterator_exit_entry(
io_object_t iterator )
{
bool didIt;
CHECK( IORegistryIterator, iterator, iter );
didIt = iter->exitEntry();
return( didIt ? kIOReturnSuccess : kIOReturnNoDevice );
}
exitExtry is defined as follows:
bool IORegistryIterator::exitEntry( void )
{
IORegCursor * gone;
if( where->iter) {
where->iter->release();
where->iter = 0;
if( where->current)// && (where != &start))
where->current->release();
}
if( where != &start) {
gone = where;
where = gone->next;
IOFree( gone, sizeof(IOReg
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlhttp://www.securityfocus.com/bid/78719http://www.securitytracker.com/id/1034344https://support.apple.com/HT205635https://support.apple.com/HT205637https://support.apple.com/HT205640https://support.apple.com/HT205641https://www.exploit-db.com/exploits/39357/https://www.exploit-db.com/exploits/39366/http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlhttp://www.securityfocus.com/bid/78719http://www.securitytracker.com/id/1034344https://support.apple.com/HT205635https://support.apple.com/HT205637https://support.apple.com/HT205640https://support.apple.com/HT205641https://www.exploit-db.com/exploits/39357/https://www.exploit-db.com/exploits/39366/
2015-12-11
Published