CVE-2016-7661
published 2017-02-20CVE-2016-7661: An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. The issue involves the "Power Management"…
PriorityP341high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.11%
61.8th percentile
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. The issue involves the "Power Management" component. It allows local users to gain privileges via unspecified vectors related to Mach port name references.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 10.1.1 | — |
| apple | mac_os_x | <= 10.12.1 | — |
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
| apple | tvos | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qj3w-wq49-6v5w: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-17
CVE-2016-7661 [HIGH] GHSA-qj3w-wq49-6v5w: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. The issue involves the "Power Management" component. It allows local users to gain privileges via unspecified vectors related to Mach port name references.
Apple
CVE-2016-7661: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 7.8
CVE-2016-7661 [HIGH] CVE-2016-7661: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-7661
Component: Power Management
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed through improved validation.
Apple
CVE-2016-7661: iOS 10.2
vendor_apple·2016-12-12·CVSS 7.8
CVE-2016-7661 [HIGH] CVE-2016-7661: iOS 10.2
Apple Security Update: About the security content of iOS 10.2
Product: iOS
Version: 10.2
CVE: CVE-2016-7661
Component: Power Management
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed through improved validation.
Apple
CVE-2016-7661: tvOS 10.1
vendor_apple·2016-12-12·CVSS 7.8
CVE-2016-7661 [HIGH] CVE-2016-7661: tvOS 10.1
Apple Security Update: About the security content of tvOS 10.1
Product: tvOS
Version: 10.1
CVE: CVE-2016-7661
Component: Power Management
Impact: A local user may be able to gain root privileges
Description: An issue in mach port name references was addressed through improved validation.
No detection rules found.
Exploit-DB
Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement
exploitdb·2016-12-22
CVE-2016-7661 Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement
Apple macOS 10.12.1 / iOS Head, &bufReply->Head);
This passes the raw message to pm_mig_demux:
static boolean_t
pm_mig_demux(
mach_msg_header_t * request,
mach_msg_header_t * reply)
{
mach_dead_name_notification_t *deadRequest =
(mach_dead_name_notification_t *)request;
boolean_t processed = FALSE;
processed = powermanagement_server(request, reply);
if (processed)
return true;
if (MACH_NOTIFY_DEAD_NAME == request->msgh_id)
{
__MACH_PORT_DEBUG(true, "pm_mig_demux: Dead name port should have 1+ send right(s)", deadRequest->not_port);
PMConnectionHandleDeadName(deadRequest->not_port);
__MACH_PORT_DEBUG(true, "pm_mig_demux: Deallocating dead name port", deadRequest->not_port);
mach_port_deallocate(mach_task_self(), deadRequest->not_port);
reply->msgh_bits = 0;
reply->msgh_remote_port =
Exploit-DB
Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free
exploitdb·2016-12-16
CVE-2016-7661 Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free
Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965
set_dp_control_port is a MIG method on the host_priv_port so this bug is a root->kernel escalation.
kern_return_t
set_dp_control_port(
host_priv_t host_priv,
ipc_port_t control_port)
{
if (host_priv == HOST_PRIV_NULL)
return (KERN_INVALID_HOST);
if (IP_VALID(dynamic_pager_control_port))
ipc_port_release_send(dynamic_pager_control_port);
dynamic_pager_control_port = control_port;
return KERN_SUCCESS;
}
This should be an atomic operation; there's no locking so two threads can race to see the same value for
dynamic_pager_control_port and release two references when the kernel only holds one.
This PoC triggers
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94906http://www.securitytracker.com/id/1037469https://support.apple.com/HT207422https://support.apple.com/HT207423https://www.exploit-db.com/exploits/40931/https://www.exploit-db.com/exploits/40958/http://www.securityfocus.com/bid/94906http://www.securitytracker.com/id/1037469https://support.apple.com/HT207422https://support.apple.com/HT207423https://www.exploit-db.com/exploits/40931/https://www.exploit-db.com/exploits/40958/
2017-02-20
Published