CVE-2016-7617
published 2017-02-20CVE-2016-7617: An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to…
PriorityP346high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
5.09%
91.3th percentile
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (type confusion) via a crafted app.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.12.1 | — |
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2016-7617: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 7.8
CVE-2016-7617 [HIGH] CVE-2016-7617: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-7617
Component: Bluetooth
Impact: An application may be able to execute arbitrary code with system privileges
Description: A type confusion issue was addressed through improved memory handling.
GHSA
GHSA-w5r2-9qpc-hqgh: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-17
CVE-2016-7617 [HIGH] CWE-704 GHSA-w5r2-9qpc-hqgh: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (type confusion) via a crafted app.
No detection rules found.
Exploit-DB
Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation
exploitdb·2017-01-16·CVSS 7.8
CVE-2016-7617 [HIGH] Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation
Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation
---
## physmem
physmem is a physical memory inspection tool and local privilege escalation targeting macOS up
through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment
target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the
same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively.
[CVE-2016-1825]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1825
[CVE-2016-7617]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7617
[10.11.5]: https://support.apple.com/en-us/HT206567
[10.12.2]: https://support.apple.com/en-us/HT207423
Because these are logic bugs, exploitation is incredibly reliable.
Exploit-DB
Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution
exploitdb·2016-12-22
CVE-2016-7617 Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution
Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution
---
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974
There are two ways for IOServices to define their IOUserClient classes: they can
override IOService::newUserClient and allocate the correct type themselves
or they can set the IOUserClientClass key in their registry entry.
The default implementation of IOService::newUserClient does this:
IOReturn IOService::newUserClient( task_t owningTask, void * securityID,
UInt32 type, OSDictionary * properties,
IOUserClient ** handler )
{
const OSSymbol *userClientClass = 0;
IOUserClient *client;
OSObject *temp;
if (kIOReturnSuccess == newUserClient( owningTask, securityID, type, handler ))
return kIOReturnSuccess;
// First try my
Sentinelone
Privilege Escalation | macOS Malware & The Path to Root Part 1 - SentinelLabs
blogs_sentinelone·2019-11-06
Privilege Escalation | macOS Malware & The Path to Root Part 1 - SentinelLabs
In this two-part series, we take a look at privilege escalation on macOS. In Part 1, we look at some of the vulnerabilities that have been discovered by security researchers in recent versions of Apple’s Desktop OS, focusing on those that have been turned into reliable exploits. We draw conclusions for enterprise and end users alike based on this review. In Part 2, we switch from researchers to attackers and explore both how and why the methodology of macOS threat actors takes quite a different path from that of the research community.
## What is Privilege Escalation?
Let’s start by defining our terms. Whenever code executes, it does so within the context of a user who invokes it. Technically, users need not always actually be people, but for our purposes here we’ll stick to the simple c
Sentinelone
Privilege Escalation | macOS Malware & The Path to Root Part 1
blogs_sentinelone·2019-11-06
Privilege Escalation | macOS Malware & The Path to Root Part 1
## Privilege Escalation | macOS Malware & The Path to Root Part 1
In this two-part series, we take a look at privilege escalation on macOS. In Part 1, we look at some of the vulnerabilities that have been discovered by security researchers in recent versions of Apple’s Desktop OS, focusing on those that have been turned into reliable exploits. We draw conclusions for enterprise and end users alike based on this review. In Part 2 , we switch from researchers to attackers and explore both how and why the methodology of macOS threat actors takes quite a different path from that of the research community.
## What is Privilege Escalation?
Let’s start by defining our terms. Whenever code executes, it does so within the context of a user who invokes it. Technically, users need not always actua
http://www.securityfocus.com/bid/94903http://www.securitytracker.com/id/1037469https://support.apple.com/HT207423https://www.exploit-db.com/exploits/40952/http://www.securityfocus.com/bid/94903http://www.securitytracker.com/id/1037469https://support.apple.com/HT207423https://www.exploit-db.com/exploits/40952/
2017-02-20
Published