CVE-2016-7633
published 2017-02-20CVE-2016-7633: An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Directory Services" component. It allows local…
PriorityP339high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.27%
66.3th percentile
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Directory Services" component. It allows local users to gain privileges or cause a denial of service (use-after-free) via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.12.1 | — |
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rp3x-rw3h-pw48: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-17
CVE-2016-7633 [HIGH] CWE-416 GHSA-rp3x-rw3h-pw48: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Directory Services" component. It allows local users to gain privileges or cause a denial of service (use-after-free) via unspecified vectors.
Apple
CVE-2016-7633: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 7.8
CVE-2016-7633 [HIGH] CVE-2016-7633: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-7633
Component: Directory Services
Impact: A local user may be able to gain root privileges
Description: A use after free issue was addressed through improved memory management.
No detection rules found.
Exploit-DB
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
exploitdb·2019-01-25·CVSS 7.8
CVE-2019-6225 [HIGH] iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
---
/*
* voucher_swap-poc.c
* Brandon Azad
*/
#if 0
iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free
The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612),
954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206),
and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and
mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the
problem is that MIG semantics are complicated and unintuitive and do not align well with the
kernel's abstractions.
Consider the MIG routine task_swap_mach_voucher():
routine task_swap_mach_voucher(
task : task_
Exploit-DB
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
exploitdb·2017-12-11·CVSS 7.8
CVE-2017-13861 [HIGH] Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
---
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]
If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.
If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method retur
Exploit-DB
Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free
exploitdb·2016-12-22
CVE-2016-7633 Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free
Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free
---
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=954
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40954.zip
Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server.
These two functions are also responsible for managing the resources associated with each message
similar to the ipc_kobject_server routine in the kernel.
If a MIG handler method returns an error code then it is assumed to not have take ownership of any
of the resources in the message and both mach_msg_server and mach_msg_server_once will pass the message
to mach_msg_destroy:
If the message had and OOL memory descriptor it rea
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94903http://www.securitytracker.com/id/1037469https://support.apple.com/HT207423https://www.exploit-db.com/exploits/40954/http://www.securityfocus.com/bid/94903http://www.securitytracker.com/id/1037469https://support.apple.com/HT207423https://www.exploit-db.com/exploits/40954/
2017-02-20
Published