CVE-2016-7637
published 2017-02-20CVE-2016-7637: An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue…
PriorityP341high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.11%
61.8th percentile
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 10.1.1 | — |
| apple | mac_os_x | <= 10.12.1 | — |
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
| apple | tvos | — | — |
| apple | watchos | <= 2.2.2 | — |
| apple | watchos | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mv89-3g3x-39qf: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2016-7637 [HIGH] CWE-119 GHSA-mv89-3g3x-39qf: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.
Apple
CVE-2016-7637: watchOS 3.1.3
vendor_apple·2017-01-23·CVSS 7.8
CVE-2016-7637 [HIGH] CVE-2016-7637: watchOS 3.1.3
Apple Security Update: About the security content of watchOS 3.1.3
Product: watchOS
Version: 3.1.3
CVE: CVE-2016-7637
Component: Kernel
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved input validation.
Apple
CVE-2016-7637: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 7.8
CVE-2016-7637 [HIGH] CVE-2016-7637: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-7637
Component: Kernel
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved input validation.
Apple
CVE-2016-7637: iOS 10.2
vendor_apple·2016-12-12·CVSS 7.8
CVE-2016-7637 [HIGH] CVE-2016-7637: iOS 10.2
Apple Security Update: About the security content of iOS 10.2
Product: iOS
Version: 10.2
CVE: CVE-2016-7637
Component: Kernel
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved input validation.
Apple
CVE-2016-7637: tvOS 10.1
vendor_apple·2016-12-12·CVSS 7.8
CVE-2016-7637 [HIGH] CVE-2016-7637: tvOS 10.1
Apple Security Update: About the security content of tvOS 10.1
Product: tvOS
Version: 10.1
CVE: CVE-2016-7637
Component: Kernel
Impact: A local user may be able to gain root privileges
Description: A memory corruption issue was addressed through improved input validation.
No detection rules found.
Exploit-DB
Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation
exploitdb·2016-12-22
CVE-2016-7637 Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation
Apple macOS ip_srights > 0);
if (bits & MACH_PORT_TYPE_SEND) {
mach_port_urefs_t urefs = IE_BITS_UREFS(bits);
assert(port->ip_srights > 1);
assert(urefs > 0);
assert(urefs ip_srights--;
ip_unlock(port);
ip_release(port);
return KERN_SUCCESS;
}
ip_unlock(port);
return KERN_UREFS_OVERFLOW;
}
port->ip_srights--;
ip_unlock(port);
ip_release(port);
...
entry->ie_bits = (bits | MACH_PORT_TYPE_SEND) + 1; ool_ports;
ports = (mach_port_t *) dsc->address;
for (j = 0; j count; j++, ports++) {
mach_msg_destroy_port(*ports, dsc->disposition); // calls mach_port_deallocate
}
...
This will call mach_port_deallocate for each ool_port name received.
If we send such a service a mach message with eg 0x20000 copies of the same port right as ool ports the ipc_entry for that name will actually only have
Exploit-DB
Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free
exploitdb·2016-12-16
CVE-2016-7661 Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free
Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965
set_dp_control_port is a MIG method on the host_priv_port so this bug is a root->kernel escalation.
kern_return_t
set_dp_control_port(
host_priv_t host_priv,
ipc_port_t control_port)
{
if (host_priv == HOST_PRIV_NULL)
return (KERN_INVALID_HOST);
if (IP_VALID(dynamic_pager_control_port))
ipc_port_release_send(dynamic_pager_control_port);
dynamic_pager_control_port = control_port;
return KERN_SUCCESS;
}
This should be an atomic operation; there's no locking so two threads can race to see the same value for
dynamic_pager_control_port and release two references when the kernel only holds one.
This PoC triggers
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94905http://www.securitytracker.com/id/1037469https://support.apple.com/HT207422https://support.apple.com/HT207423https://support.apple.com/HT207487https://www.exploit-db.com/exploits/40931/https://www.exploit-db.com/exploits/40957/http://www.securityfocus.com/bid/94905http://www.securitytracker.com/id/1037469https://support.apple.com/HT207422https://support.apple.com/HT207423https://support.apple.com/HT207487https://www.exploit-db.com/exploits/40931/https://www.exploit-db.com/exploits/40957/
2017-02-20
Published