CVE-2016-4669
published 2017-02-20CVE-2016-4669: An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS…
PriorityP348high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.73%
88.5th percentile
An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (MIG code mishandling and system crash) via unspecified vectors.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 10.1 | 10.1 |
| apple | mac_os_x | < 10.12.1 | 10.12.1 |
| apple | macos_sierra_10.12.1_security_update_2016-002_el_capitan_and_security_update_201 | — | — |
| apple | tvos | < 10.0.1 | 10.0.1 |
| apple | tvos | — | — |
| apple | watchos | < 3.1 | 3.1 |
| apple | watchos | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2016-4669: iOS 10.1
vendor_apple·2016-10-24·CVSS 7.8
CVE-2016-4669 [HIGH] CVE-2016-4669: iOS 10.1
Apple Security Update: About the security content of iOS 10.1
Product: iOS
Version: 10.1
CVE: CVE-2016-4669
Component: Kernel
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
Apple
CVE-2016-4669: watchOS 3.1
vendor_apple·2016-10-24·CVSS 7.8
CVE-2016-4669 [HIGH] CVE-2016-4669: watchOS 3.1
Apple Security Update: About the security content of watchOS 3.1
Product: watchOS
Version: 3.1
CVE: CVE-2016-4669
Component: Kernel
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
Apple
CVE-2016-4669: tvOS 10.0.1
vendor_apple·2016-10-24·CVSS 7.8
CVE-2016-4669 [HIGH] CVE-2016-4669: tvOS 10.0.1
Apple Security Update: About the security content of tvOS 10.0.1
Product: tvOS
Version: 10.0.1
CVE: CVE-2016-4669
Component: System Boot
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
Apple
CVE-2016-4669: macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite
vendor_apple·2016-10-24·CVSS 7.8
CVE-2016-4669 [HIGH] CVE-2016-4669: macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite
Product: macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite
CVE: CVE-2016-4669
Component: Kernel
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
GHSA
GHSA-q94r-c3hr-hh25: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-13
CVE-2016-4669 [HIGH] CWE-20 GHSA-q94r-c3hr-hh25: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (MIG code mishandling and system crash) via unspecified vectors.
No detection rules found.
Exploit-DB
Apple OS X/iOS - 'mach_ports_register' Multiple Memory Safety s
exploitdb·2016-10-31
CVE-2016-4669 Apple OS X/iOS - 'mach_ports_register' Multiple Memory Safety s
Apple OS X/iOS - 'mach_ports_register' Multiple Memory Safety s
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882
mach_ports_register is a kernel task port MIG method.
It's defined in MIG like this:
routine mach_ports_register(
target_task : task_t;
init_port_set : mach_port_array_t =
^array[] of mach_port_t);
Looking at the generated code for this we notice something kinda weird; here's the mach message structure
which actually gets sent:
typedef struct {
mach_msg_header_t Head;
// start of the kernel processed data
mach_msg_body_t msgh_body;
mach_msg_ool_ports_descriptor_t init_port_set;
// end of the kernel processed data
NDR_record_t NDR;
mach_msg_type_number_t init_port_setCnt;
} Request __attribute__((unused));
The message contains an OOL ports descrip
Metasploit
Safari Webkit JIT Exploit for iOS 7.1.2
metasploit·CVSS 7.8
CVE-2016-4669 [HIGH] Safari Webkit JIT Exploit for iOS 7.1.2
Safari Webkit JIT Exploit for iOS 7.1.2
This module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158874/Safari-Webkit-For-iOS-7.1.2-JIT-Optimization-Bug.htmlhttp://www.securityfocus.com/bid/93849http://www.securitytracker.com/id/1037086https://support.apple.com/HT207269https://support.apple.com/HT207270https://support.apple.com/HT207271https://support.apple.com/HT207275https://www.exploit-db.com/exploits/40654/http://packetstormsecurity.com/files/158874/Safari-Webkit-For-iOS-7.1.2-JIT-Optimization-Bug.htmlhttp://www.securityfocus.com/bid/93849http://www.securitytracker.com/id/1037086https://support.apple.com/HT207269https://support.apple.com/HT207270https://support.apple.com/HT207271https://support.apple.com/HT207275https://www.exploit-db.com/exploits/40654/
2017-02-20
Published