CVE-2018-4237
published 2018-06-08CVE-2018-4237: An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before…
PriorityP277high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.92%
96.1th percentile
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "libxpc" component. It allows attackers to gain privileges via a crafted app that leverages a logic error.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spamassassin | >= 0 < 3.4.2-0ubuntu0.14.04.1+esm1 | 3.4.2-0ubuntu0.14.04.1+esm1 |
| apple | ios | — | — |
| apple | iphone_os | < 11.4 | 11.4 |
| apple | mac_os_x | < 10.13.5 | 10.13.5 |
| apple | macos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0 | — | — |
| apple | tvos | < 11.4 | 11.4 |
| apple | tvos | — | — |
| apple | watchos | < 4.3.1 | 4.3.1 |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for processes spawned from /tmp (or other writable directories) with randomized 6–12 character alpha-lowercase names, which is the exploit's payload/exploit-file naming pattern. ↗
- →Detect use of task_set_special_port to overwrite the bootstrap port, which is the core primitive used to MITM launchd communication in this exploit. ↗
- →Alert on processes intercepting XPC/opendirectoryd replies, particularly when a non-root process forks sudo and sits between it and opendirectoryd to forge credential validation responses. ↗
- →Flag execution of a Metasploit osx/x64/meterpreter/reverse_tcp payload dropped to a writable directory (e.g. /tmp) and executed by a short-named parent process — consistent with this module's default payload and delivery chain. ↗
- ·The Metasploit module targets macOS <= 10.13.3 only; systems running 10.13.4 or later are marked Safe by the module's check method. ↗
- ·The exploit requires an existing non-root session on the target; it will abort if the session already has root privileges. ↗
- ·The exploit requires a writable directory on the target (default /tmp) to stage both the ssudo exploit binary and the payload executable. ↗
- ·Apple's advisories describe the vulnerability inconsistently across products: NVD and the Metasploit module attribute it to libxpc/logic error, while Apple's own security pages for iOS, macOS, tvOS, and watchOS describe it as a memory corruption / buffer overflow in the Kernel component. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.7MEDIUM
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8g9p-xj27-qw5f: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-13
CVE-2018-4237 [HIGH] GHSA-8g9p-xj27-qw5f: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "libxpc" component. It allows attackers to gain privileges via a crafted app that leverages a logic error.
OSV
spamassassin vulnerabilities
osv·2020-01-15·CVSS 6.7
CVE-2018-11805 spamassassin vulnerabilities
spamassassin vulnerabilities
USN-4237-1 fixed several vulnerabilities in SpamAssassin. This update provides
the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.
Original advisory details:
It was discovered that SpamAssassin incorrectly handled certain CF files.
If a user or automated system were tricked into using a specially-crafted
CF file, a remote attacker could possibly run arbitrary code.
(CVE-2018-11805)
It was discovered that SpamAssassin incorrectly handled certain messages.
A remote attacker could possibly use this issue to cause SpamAssassin to
consume resources, resulting in a denial of service. (CVE-2019-12420)
VulnCheck
Apple iOS/macOS/tvOS/watchOS 'libxpc' Vulnerability
vulncheck·2018·CVSS 7.8
CVE-2018-4237 [HIGH] Apple iOS/macOS/tvOS/watchOS 'libxpc' Vulnerability
Apple iOS/macOS/tvOS/watchOS 'libxpc' Vulnerability
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "libxpc" component. It allows attackers to gain privileges via a crafted app that leverages a logic error.
Affected: Apple iphone_os
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.seqrite.com/documents/en/threat-reports/india-cyber-threat-report-2025.pdf
Apple
CVE-2018-4237: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
vendor_apple·2018-06-01·CVSS 7.8
CVE-2018-4237 [HIGH] CVE-2018-4237: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
Product: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
CVE: CVE-2018-4237
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
Apple
CVE-2018-4237: watchOS 4.3.1
vendor_apple·2018-05-29·CVSS 7.8
CVE-2018-4237 [HIGH] CVE-2018-4237: watchOS 4.3.1
Apple Security Update: About the security content of watchOS 4.3.1
Product: watchOS
Version: 4.3.1
CVE: CVE-2018-4237
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2018-4237: iOS 11.4
vendor_apple·2018-05-29·CVSS 7.8
CVE-2018-4237 [HIGH] CVE-2018-4237: iOS 11.4
Apple Security Update: About the security content of iOS 11.4
Product: iOS
Version: 11.4
CVE: CVE-2018-4237
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2018-4237: tvOS 11.4
vendor_apple·2018-05-29·CVSS 7.8
CVE-2018-4237 [HIGH] CVE-2018-4237: tvOS 11.4
Apple Security Update: About the security content of tvOS 11.4
Product: tvOS
Version: 11.4
CVE: CVE-2018-4237
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
No detection rules found.
Exploit-DB
Mac OS X - libxpc MITM Privilege Escalation (Metasploit)
exploitdb·2018-11-29
CVE-2018-4237 Mac OS X - libxpc MITM Privilege Escalation (Metasploit)
Mac OS X - libxpc MITM Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Mac OS X libxpc MITM Privilege Escalation',
'Description' => %q{
This module exploits a vulnerablity in libxpc on macOS MSF_LICENSE,
'Author' => [ 'saelo' ],
'References' => [
['CVE', '2018-4237'],
['URL', 'https://github.com/saelo/pwn2own2018'],
],
'Arch' => [ ARCH_X64 ],
'Platform' => 'osx',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', { } ]
],
'DisclosureDate' => 'Mar 15 2018'))
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can
Metasploit
Mac OS X libxpc MITM Privilege Escalation
metasploit
Mac OS X libxpc MITM Privilege Escalation
Mac OS X libxpc MITM Privilege Escalation
This module exploits a vulnerablity in libxpc on macOS <= 10.13.3 The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.
No writeups or analysis indexed.
http://www.securitytracker.com/id/1041027https://support.apple.com/HT208848https://support.apple.com/HT208849https://support.apple.com/HT208850https://support.apple.com/HT208851https://www.exploit-db.com/exploits/45916/http://www.securitytracker.com/id/1041027https://support.apple.com/HT208848https://support.apple.com/HT208849https://support.apple.com/HT208850https://support.apple.com/HT208851https://www.exploit-db.com/exploits/45916/
2018-06-08
Published
Exploited in the wild