CVE-2016-7612
published 2017-02-20CVE-2016-7612: An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue…
PriorityP348high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.23%
89.8th percentile
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 10.1.1 | — |
| apple | mac_os_x | <= 10.12.1 | — |
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
| apple | tvos | — | — |
| apple | watchos | <= 2.2.2 | — |
| apple | watchos | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2016-7612: watchOS 3.1.3
vendor_apple·2017-01-23·CVSS 7.8
CVE-2016-7612 [HIGH] CVE-2016-7612: watchOS 3.1.3
Apple Security Update: About the security content of watchOS 3.1.3
Product: watchOS
Version: 3.1.3
CVE: CVE-2016-7612
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved input validation.
Apple
CVE-2016-7612: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 7.8
CVE-2016-7612 [HIGH] CVE-2016-7612: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-7612
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved input validation.
Apple
CVE-2016-7612: tvOS 10.1
vendor_apple·2016-12-12·CVSS 7.8
CVE-2016-7612 [HIGH] CVE-2016-7612: tvOS 10.1
Apple Security Update: About the security content of tvOS 10.1
Product: tvOS
Version: 10.1
CVE: CVE-2016-7612
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved input validation.
Apple
CVE-2016-7612: iOS 10.2
vendor_apple·2016-12-12·CVSS 7.8
CVE-2016-7612 [HIGH] CVE-2016-7612: iOS 10.2
Apple Security Update: About the security content of iOS 10.2
Product: iOS
Version: 10.2
CVE: CVE-2016-7612
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved input validation.
GHSA
GHSA-pp4f-g7vc-35hq: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2016-7612 [HIGH] CWE-119 GHSA-pp4f-g7vc-35hq: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
No detection rules found.
Exploit-DB
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
exploitdb·2019-01-25·CVSS 7.8
CVE-2019-6225 [HIGH] iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
---
/*
* voucher_swap-poc.c
* Brandon Azad
*/
#if 0
iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free
The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612),
954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206),
and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and
mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the
problem is that MIG semantics are complicated and unintuitive and do not align well with the
kernel's abstractions.
Consider the MIG routine task_swap_mach_voucher():
routine task_swap_mach_voucher(
task : task_
Exploit-DB
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
exploitdb·2017-12-11·CVSS 7.8
CVE-2017-13861 [HIGH] Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
---
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]
If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.
If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method retur
Exploit-DB
Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free
exploitdb·2016-12-22
CVE-2016-7612 Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free
Apple macOS ikm_header->msgh_local_port = MACH_PORT_NULL;
ipc_kmsg_destroy(request);
}
If the MIG callout returns success, then it means that the method took ownership of *all* of the rights contained in the message.
If the MIG callout returns a failure code then the means the method took ownership of *none* of the rights contained in the message.
ipc_kmsg_free will only destroy the message header, so if the message had any other port rights then their reference counts won't be
decremented. ipc_kmsg_destroy on the other hand will decrement the reference counts for all the port rights in the message, even those
in port descriptors.
If we can find a MIG method which returns KERN_SUCCESS but doesn't in fact take ownership of any mach ports its passed (by for example
storing them and droppi
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94905http://www.securitytracker.com/id/1037469https://support.apple.com/HT207422https://support.apple.com/HT207423https://support.apple.com/HT207487https://www.exploit-db.com/exploits/40955/http://www.securityfocus.com/bid/94905http://www.securitytracker.com/id/1037469https://support.apple.com/HT207422https://support.apple.com/HT207423https://support.apple.com/HT207487https://www.exploit-db.com/exploits/40955/
2017-02-20
Published