CVE-2016-4625
published 2016-07-22CVE-2016-4625: Use-after-free vulnerability in IOSurface in Apple OS X before 10.11.6 allows local users to gain privileges via unspecified vectors.
PriorityP347high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.90%
77.1th percentile
Use-after-free vulnerability in IOSurface in Apple OS X before 10.11.6 allows local users to gain privileges via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.11.5 | — |
| apple | os_x_el_capitan_v10.11.6_and_security_update_2016-004 | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92px-prx4-pm8c: Use-after-free vulnerability in IOSurface in Apple OS X before 10
ghsa_unreviewed·2022-05-17
CVE-2016-4625 [HIGH] CWE-416 GHSA-92px-prx4-pm8c: Use-after-free vulnerability in IOSurface in Apple OS X before 10
Use-after-free vulnerability in IOSurface in Apple OS X before 10.11.6 allows local users to gain privileges via unspecified vectors.
Apple
CVE-2016-4625: OS X El Capitan v10.11.6 and Security Update 2016-004
vendor_apple·2016-07-18·CVSS 7.8
CVE-2016-4625 [HIGH] CVE-2016-4625: OS X El Capitan v10.11.6 and Security Update 2016-004
Apple Security Update: About the security content of OS X El Capitan v10.11.6 and Security Update 2016-004
Product: OS X El Capitan v10.11.6 and Security Update 2016-004
CVE: CVE-2016-4625
Component: IOSurface
Impact: A local user may be able to execute arbitrary code with kernel privileges
Description: A use-after-free was addressed through improved memory management.
No detection rules found.
Exploit-DB
Apple OS X/iOS Kernel - IOSurface Use-After-Free
exploitdb·2016-10-31
CVE-2016-4625 Apple OS X/iOS Kernel - IOSurface Use-After-Free
Apple OS X/iOS Kernel - IOSurface Use-After-Free
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831
IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference.
By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used
by calling the create_surface_fast_path external method which will try to read and use the memory map off of the free'd task struct.
This bug could be leveraged for kernel memory corruption and is reachable from interesting sandboxes including safari and chrome.
build: clang -o surfaceroot_uaf surfaceroot_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actuall
Exploit-DB
Apple macOS 10.12 - 'task_t' Local Privilege Escalation
exploitdb·2016-10-31·CVSS 7.0
CVE-2016-4625 [HIGH] Apple macOS 10.12 - 'task_t' Local Privilege Escalation
Apple macOS 10.12 - 'task_t' Local Privilege Escalation
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837
TL;DR
you cannot hold or use a task struct pointer and expect the euid of that task to stay the same.
Many many places in the kernel do this and there are a great many very exploitable bugs as a result.
task_t is just a typedef for a task struct *. It's the abstraction level which represents a whole task
comprised of threads and a virtual memory map.
task_t's have a corrisponding mach port type (IKOT_TASK) known as a task port. The task port structure
in the kernel has a pointer to the task struct which it represents. If you have send rights to a task port then
you have control over its VM and, via task_threads, its threads.
When a suid-root binary is exe
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.htmlhttp://www.securityfocus.com/bid/91824http://www.securitytracker.com/id/1036348https://support.apple.com/HT206903https://www.exploit-db.com/exploits/40653/https://www.exploit-db.com/exploits/40669/http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.htmlhttp://www.securityfocus.com/bid/91824http://www.securitytracker.com/id/1036348https://support.apple.com/HT206903https://www.exploit-db.com/exploits/40653/https://www.exploit-db.com/exploits/40669/
2016-07-22
Published