cbcvebase.
CVE-2016-1757
published 2016-03-24

CVE-2016-1757: Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted…

PriorityP348high7CVSS 3.0
AVLACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
12.67%
95.8th percentile
Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted app.

Affected

4 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os<= 9.2.1
applemac_os_x<= 10.11.3
appleos_x_el_capitan_v10.11.4_and_security_update_2016-002

Detection & IOCsextracted from sources · hover to see the quote

path/usr/sbin/traceroute6
path/bin/zsh
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39595.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40669.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39741.zip
path/bin/ps
path/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove
filenamemach_race_server
filenamemach_race_client
  • Monitor for processes using mach_vm_region, mach_vm_protect, and mach_vm_write Mach APIs against a task port of a SUID-root binary during its exec window — this is the core exploitation primitive for CVE-2016-1757.
  • Detect a process registering a port with launchd (bootstrap_register2) and then forking a child that immediately execve's a SUID-root binary — this is the exploit setup pattern used by mach_race.
  • Alert on rapid repeated execve calls to SUID binaries (e.g. loop of 0–1000000 iterations) from the same parent process, which is the brute-force timing pattern used to win the race window.
  • Detect use of task_threads Mach trap against a task port that has just executed a SUID binary — the exploit races task_threads to obtain a thread port for an euid 0 process.
  • Look for processes spawning /bin/zsh (not /bin/bash) as a child of a SUID-root binary execution — the shellcode deliberately targets zsh because bash drops privileges.
  • The exploit race window exists between swap_task_map and ipc_port_dealloc_kernel; kernel telemetry or kext-based monitoring of ipc_task_reset timing relative to vm_map swap can identify exploitation attempts.
  • Flag use of bootstrap_register2 followed immediately by fork+execve of a SUID binary as a suspicious exploit pattern; note that chaining the exploit fails on second run because the service name is already registered with launchd.
  • ·The race window is tight and exploitation requires multiple attempts; detection based on a single execve event may miss the attack — look for high-frequency repeated execve calls to the same SUID binary.
  • ·The PoC exploit (39595) is hardcoded for traceroute6 on OS X 10.11.2 specifically; real-world variants would target different SUID binaries and OS versions.
  • ·The faster exploit (40669) also defeats mitigations shipped in macOS 10.12 and should work for all kernel versions <= 10.12; patching to 10.11.4 / iOS 9.3 is required for the original CVE-2016-1757 fix, but the broader task_t class of bugs required additional fixes.
  • ·mach_race exploit (39741) was tested on Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3; older OS X versions may require bootstrap_create_server instead of bootstrap_register2.

CVSS provenance

nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.