CVE-2016-1741
published 2016-03-24CVE-2016-1741: The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.15%
95.6th percentile
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.11.3 | — |
| apple | os_x_el_capitan_v10.11.4_and_security_update_2016-002 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandIOConnectCallMethod(conn, 0x10a, inputScalar, inputScalarCnt, inputStruct, inputStructCnt, outputScalar, &outputScalarCnt, outputStruct, &outputStructCnt)↗
- →Monitor for IOServiceOpen calls targeting 'IOAccelerator' with userclient type 5, followed by IOConnectCallMethod invocations using selector 0x10a (nvDevice::ReleaseDeviceTexture). This is the specific attack vector for CVE-2016-1741. ↗
- →The exploit passes a crafted scalar value 0x0f0f0f0f as the single uint argument to external method 0x10a. The driver masks it with 0x7FFFFFFF and uses it as an unchecked array index to read an object pointer and call a virtual method — look for anomalous large/crafted index values passed to this selector. ↗
- →Exploitation requires a crafted app running on macOS. Privilege escalation to kernel context occurs via the NVIDIA GeForce IOAccelerator driver. Systems running OS X prior to 10.11.4 without Security Update 2016-002 are vulnerable. ↗
- ·The vulnerability is in the NVIDIA GeForce IOAccelerator kernel driver on macOS only. The attack surface is limited to local apps with access to the IOAccelerator IOService; it is not remotely exploitable. ↗
- ·The fix is included in OS X El Capitan v10.11.4 and Security Update 2016-002. Systems without NVIDIA graphics hardware or without the GeForce IOAccelerator kext loaded are not affected. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7qxp-rcgw-7whv: The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10
ghsa_unreviewed·2022-05-17
CVE-2016-1741 [CRITICAL] CWE-119 GHSA-7qxp-rcgw-7whv: The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Apple
CVE-2016-1741: OS X El Capitan v10.11.4 and Security Update 2016-002
vendor_apple·CVSS 9.8
CVE-2016-1741 [CRITICAL] CVE-2016-1741: OS X El Capitan v10.11.4 and Security Update 2016-002
Apple Security Update: About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002
Product: OS X El Capitan v10.11.4 and Security Update 2016-002
CVE: CVE-2016-1741
Component: CVE-ID
No detection rules found.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttp://www.securitytracker.com/id/1035363https://support.apple.com/HT206167https://www.exploit-db.com/exploits/39615/http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttp://www.securitytracker.com/id/1035363https://support.apple.com/HT206167https://www.exploit-db.com/exploits/39615/
2016-03-24
Published