CVE-2018-4139
published 2018-04-03CVE-2018-4139: An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "kext tools" component. It allows attackers to…
PriorityP347high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.44%
90.2th percentile
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | < 10.13.4 | 10.13.4 |
| apple | macos_high_sierra_10.13.4_security_update_2018-002_sierra_and_security_update_20 | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2018-4139: macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan
vendor_apple·2018-03-29·CVSS 7.8
CVE-2018-4139 [HIGH] CVE-2018-4139: macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan
Product: macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan
CVE: CVE-2018-4139
Component: Kernel
Impact: A malicious application may be able to determine kernel memory layout
Description: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.
GHSA
GHSA-4c7q-c36w-gpm4: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2018-4139 [HIGH] CWE-119 GHSA-4c7q-c36w-gpm4: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
No detection rules found.
Exploit-DB
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
exploitdb·2019-01-25·CVSS 7.8
CVE-2019-6225 [HIGH] iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
---
/*
* voucher_swap-poc.c
* Brandon Azad
*/
#if 0
iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free
The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612),
954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206),
and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and
mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the
problem is that MIG semantics are complicated and unintuitive and do not align well with the
kernel's abstractions.
Consider the MIG routine task_swap_mach_voucher():
routine task_swap_mach_voucher(
task : task_
Exploit-DB
Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules
exploitdb·2018-04-30
CVE-2018-4139 Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules
Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules
---
Here's a kextd method exposed via MIG (com.apple.KernelExtensionServer)
kern_return_t _kextmanager_unlock_kextload(
mach_port_t server,
mach_port_t client)
{
kern_return_t mig_result = KERN_FAILURE;
if (gClientUID != 0) {
OSKextLog(/* kext */ NULL,
kOSKextLogErrorLevel | kOSKextLogIPCFlag,
"Non-root kextutil doesn't need to lock/unlock.");
mig_result = KERN_SUCCESS;
goto finish;
}
if (client != (mach_port_t)dispatch_source_get_handle(_gKextutilLock)) {
OSKextLog(/* kext */ NULL,
kOSKextLogErrorLevel | kOSKextLogIPCFlag,
"%d not used to lock for kextutil.", client);
goto finish;
}
removeKextutilLock();
mig_result = KERN_SUCCESS;
finish:
// we don't need the extra send rig
No writeups or analysis indexed.
http://www.securityfocus.com/bid/103582http://www.securitytracker.com/id/1040608https://support.apple.com/HT208692https://www.exploit-db.com/exploits/44561/http://www.securityfocus.com/bid/103582http://www.securitytracker.com/id/1040608https://support.apple.com/HT208692https://www.exploit-db.com/exploits/44561/
2018-04-03
Published