CVE-2016-1757
published 2016-03-24CVE-2016-1757: Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted…
PriorityP348high7CVSS 3.0
AVLACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
12.67%
95.8th percentile
Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted app.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 9.2.1 | — |
| apple | mac_os_x | <= 10.11.3 | — |
| apple | os_x_el_capitan_v10.11.4_and_security_update_2016-002 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for processes using mach_vm_region, mach_vm_protect, and mach_vm_write Mach APIs against a task port of a SUID-root binary during its exec window — this is the core exploitation primitive for CVE-2016-1757. ↗
- →Detect a process registering a port with launchd (bootstrap_register2) and then forking a child that immediately execve's a SUID-root binary — this is the exploit setup pattern used by mach_race. ↗
- →Alert on rapid repeated execve calls to SUID binaries (e.g. loop of 0–1000000 iterations) from the same parent process, which is the brute-force timing pattern used to win the race window. ↗
- →Detect use of task_threads Mach trap against a task port that has just executed a SUID binary — the exploit races task_threads to obtain a thread port for an euid 0 process. ↗
- →Look for processes spawning /bin/zsh (not /bin/bash) as a child of a SUID-root binary execution — the shellcode deliberately targets zsh because bash drops privileges. ↗
- →The exploit race window exists between swap_task_map and ipc_port_dealloc_kernel; kernel telemetry or kext-based monitoring of ipc_task_reset timing relative to vm_map swap can identify exploitation attempts. ↗
- →Flag use of bootstrap_register2 followed immediately by fork+execve of a SUID binary as a suspicious exploit pattern; note that chaining the exploit fails on second run because the service name is already registered with launchd. ↗
- ·The race window is tight and exploitation requires multiple attempts; detection based on a single execve event may miss the attack — look for high-frequency repeated execve calls to the same SUID binary. ↗
- ·The PoC exploit (39595) is hardcoded for traceroute6 on OS X 10.11.2 specifically; real-world variants would target different SUID binaries and OS versions. ↗
- ·The faster exploit (40669) also defeats mitigations shipped in macOS 10.12 and should work for all kernel versions <= 10.12; patching to 10.11.4 / iOS 9.3 is required for the original CVE-2016-1757 fix, but the broader task_t class of bugs required additional fixes. ↗
- ·mach_race exploit (39741) was tested on Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3; older OS X versions may require bootstrap_create_server instead of bootstrap_register2. ↗
CVSS provenance
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2016-1757: OS X El Capitan v10.11.4 and Security Update 2016-002
vendor_apple·CVSS 7.0
CVE-2016-1757 [HIGH] CVE-2016-1757: OS X El Capitan v10.11.4 and Security Update 2016-002
Apple Security Update: About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002
Product: OS X El Capitan v10.11.4 and Security Update 2016-002
CVE: CVE-2016-1757
Component: CVE-ID
Apple
CVE-2016-1757: iOS 9.3
vendor_apple·CVSS 7.0
CVE-2016-1757 [HIGH] CVE-2016-1757: iOS 9.3
Apple Security Update: About the security content of iOS 9.3
Product: iOS
Version: 9.3
CVE: CVE-2016-1757
Component: CVE-ID
GHSA
GHSA-vq32-944c-qm85: Race condition in the kernel in Apple iOS before 9
ghsa_unreviewed·2022-05-17
CVE-2016-1757 [HIGH] CWE-362 GHSA-vq32-944c-qm85: Race condition in the kernel in Apple iOS before 9
Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted app.
Project0
task_t considered harmful - Project Zero
project_zero·2016-10-01
CVE-2016-1757 task_t considered harmful - Project Zero
Posted by Ian Beer, Project Zero
This post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS 10.1. We’ll look at the bugs, how they can be exploited to escape sandboxes and escalate privileges, and how we can defeat each of the mitigations. Every step is accompanied by a working exploit.
##
Some background on mach ports
Mach ports are multiple-sender, single-receiver message queues maintained by the kernel. Some special mach ports provide the same message-passing API to userspace but messages sent to them are handled synchronously by kernel message handlers. In this sense messages sent to these ports are quite a lot like syscalls.
Task ports a
Project0
Race you to the kernel! - Project Zero
project_zero·2016-03-01·CVSS 7.0
CVE-2016-1757 [HIGH] Race you to the kernel! - Project Zero
Posted by Ian Beer of Google Project Zero
The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an euid 0 process before the old task port is invalidated. Going a step further this also allows you to also gain any entitlement and, on OS X, load an unsigned kernel extension.
I reported this bug to Apple on December 16th 2015 and it was patched in OS X 10.11.4/iOS 9.3 as CVE-2016-1757. For more technical details see the original bug report where you can also grab the updated exploit.
Task Ports
If you’ve ever tried to use ptrace on OS X you were probably sorely disappointed. Whilst the sysc
No detection rules found.
Exploit-DB
Apple macOS 10.12 - 'task_t' Local Privilege Escalation
exploitdb·2016-10-31·CVSS 7.0
CVE-2016-4625 [HIGH] Apple macOS 10.12 - 'task_t' Local Privilege Escalation
Apple macOS 10.12 - 'task_t' Local Privilege Escalation
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837
TL;DR
you cannot hold or use a task struct pointer and expect the euid of that task to stay the same.
Many many places in the kernel do this and there are a great many very exploitable bugs as a result.
task_t is just a typedef for a task struct *. It's the abstraction level which represents a whole task
comprised of threads and a virtual memory map.
task_t's have a corrisponding mach port type (IKOT_TASK) known as a task port. The task port structure
in the kernel has a pointer to the task struct which it represents. If you have send rights to a task port then
you have control over its VM and, via task_threads, its threads.
When a suid-root binary is exe
Exploit-DB
Mach Race OSX - Local Privilege Escalation
exploitdb·2016-04-27·CVSS 7.0
CVE-2016-1757 [HIGH] Mach Race OSX - Local Privilege Escalation
Mach Race OSX - Local Privilege Escalation
---
Source: https://github.com/gdbinit/mach_race
Mach Race OS X Local Privilege Escalation Exploit
(c) fG! 2015, 2016, [email protected] - https://reverse.put.as
A SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757).
Usage against a SUID binary:
./mach_race_server /bin/ps _compat_mode
for i in seq 0 1000000; do ./mach_race_client /bin/ps; done
Against an entitled binary to bypass SIP:
./mach_race_server /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove _geteuid
for i in seq 0 1000000; do ./mach_race_client /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove; done
Note: because the service name is not modified you can't chain this exploit fro
Exploit-DB
Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution
exploitdb·2016-03-23
CVE-2016-1757 Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution
Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676
tl;dr
The code responsible for loading a suid-binary following a call to the execve syscall invalidates
the task port after first swapping the new vm_map into the old task object leaving a short race window
where we can manipulate the memory of the euid(0) process before the old task port is destroyed.
__mac_execve calls exec_activate_image which calls exec_mach_imgact via the image activator table execsw.
If we were called from a regular execve (not after a vfork or via posix_spawn) then this calls load_machfile
with a NULL map argument indicating to load_machfile that it should create a new vm_map for this process:
if (new_map == VM_MAP_NULL
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttp://www.securitytracker.com/id/1035353https://bugs.chromium.org/p/project-zero/issues/detail?id=676https://support.apple.com/HT206166https://support.apple.com/HT206167https://www.exploit-db.com/exploits/39595/https://www.exploit-db.com/exploits/39741/http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttp://www.securitytracker.com/id/1035353https://bugs.chromium.org/p/project-zero/issues/detail?id=676https://support.apple.com/HT206166https://support.apple.com/HT206167https://www.exploit-db.com/exploits/39595/https://www.exploit-db.com/exploits/39741/
2016-03-24
Published