Tuesday, January 2, 2018

IOHIDeous: IOHIDFamily 0day

Siguza (via Patrick Wardle, Hacker News):

This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user.

[…]

The thing is that between this line:

eop->evGlobalsOffset = sizeof(EvOffsets);

and this one:

evg = (EvGlobals *)((char *)shmem_addr + eop->evGlobalsOffset);

The value of eop->evGlobalsOffset can change, which will then cause evg to point to somewhere other than intended.

From looking at the source, this vulnerability seems to have been present at least since as far back as 2002.

Siguza:

I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

Siguza:

And an engineer from Apple’s security team contacted me a bit after releasing - they had found the bug a while ago, but hadn’t verified the subsequent patch which actually didn’t fix it. And a while ago I tweeted this (try diff’ing sources to find it :P). So they do have people on it. I also told that person to extend my condolences to whoever has to come in and fix that now, but they basically said that there’s nothing to apologise for and that they (the team) really like such write-ups.

Previously: identityservicesd: What If Anyone Can Be You?, Explanation of HomeKit Vulnerability.

1 Comment RSS · Twitter

'they had found the bug a while ago, but hadn’t verified the subsequent patch which actually didn’t fix it"

That's a good summary of what happens when you file a bug on Bug Reporter.

Leave a Comment