cbcvebase.
CVE-2019-8661
published 2019-12-18

CVE-2019-8661: A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.6. A remote attacker may be able to cause…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.51%
94.8th percentile
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.6. A remote attacker may be able to cause arbitrary code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
applemac_os_x< 10.14.610.14.6
applemacos>= unspecified < macOS Mojave 10.14.6macOS Mojave 10.14.6
applemacos_mojave_10.14.6_security_update_2019-004_high_sierra_security_update_2019-0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47207.zip
processsoagent
filenamesendMessage.py
filenameinjectMessage.js
  • Monitor for crashes in the 'soagent' process triggered via iMessage with no user interaction, which may indicate exploitation of CVE-2019-8661.
  • Inspect inbound iMessage payloads for NSURL objects containing the 'NS.minimalBookmarkData' property in their plist, which is the deserialization vector for this vulnerability.
  • Look for pre-2012 alias file data being processed via FSResolveAliasWithMountFlags in CarbonCore, triggered remotely through iMessage deserialization of NSURL objects.
  • Flag memory corruption events originating from ALI_GetUTF8Path (CarbonCore) via an unsafe strcat_chk call, reachable through remote iMessage delivery.
  • The exploit requires no user interaction and is macOS-specific; prioritize detection on macOS endpoints receiving iMessages with serialized NSURL/bookmark data.
  • ·The PoC exploit uses Frida for injection; detection of Frida tooling (frida-agent, frida-server) on macOS endpoints may indicate attacker staging activity related to this CVE.
  • ·The vulnerability is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, and Security Update 2019-004 Sierra; unpatched systems in these product lines remain at risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.