{"id":20012,"date":"2018-01-02T16:00:37","date_gmt":"2018-01-02T21:00:37","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20012"},"modified":"2018-01-02T16:00:37","modified_gmt":"2018-01-02T21:00:37","slug":"iohideous-iohidfamily-0day","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/01\/02\/iohideous-iohidfamily-0day\/","title":{"rendered":"IOHIDeous: IOHIDFamily 0day"},"content":{"rendered":"<p><a href=\"https:\/\/siguza.github.io\/IOHIDeous\/\">Siguza<\/a> (via <a href=\"https:\/\/twitter.com\/patrickwardle\/status\/947935887995703297\">Patrick Wardle<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=16043578\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/siguza.github.io\/IOHIDeous\/\"><p>This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r\/w and can be exploited by any unprivileged user.<\/p><p>[&#8230;]<\/p><p>The thing is that between this line:<\/p><pre>eop-&gt;evGlobalsOffset = sizeof(EvOffsets);<\/pre>\n<p>and this one:<\/p>\n<pre>evg = (EvGlobals *)((char *)shmem_addr + eop-&gt;evGlobalsOffset);<\/pre><p>The value of <code>eop-&gt;evGlobalsOffset<\/code> can change, which will then cause <code>evg<\/code> to point to somewhere other than intended.<\/p>\n<p>From looking <a href=\"https:\/\/opensource.apple.com\/source\/IOHIDFamily\/IOHIDFamily-33\/IOHIDSystem\/IOHIDSystem.cpp.auto.html\">at the source<\/a>, this vulnerability seems to have been present at least since as far back as 2002.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/s1guza\/status\/947840701559136256\">Siguza<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/s1guza\/status\/947840701559136256\"><p>I would&rsquo;ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=16044125\">Siguza<\/a>:<\/p>\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=16044125\"><p>And an engineer from Apple&rsquo;s security team contacted me a bit after releasing - they had found the bug a while ago, but hadn&rsquo;t verified the subsequent patch which actually didn&rsquo;t fix it. And a while ago I tweeted <a href=\"https:\/\/twitter.com\/s1guza\/status\/921889566549831680\">this<\/a> (try diff&rsquo;ing sources to find it :P). So they do have people on it. I also told that person to extend my condolences to whoever has to come in and fix that now, but they basically said that there&rsquo;s nothing to apologise for and that they (the team) really like such write-ups.<\/p><\/blockquote>\n\n<p>Previously: <a href=\"https:\/\/mjtsai.com\/blog\/2018\/01\/01\/identityservicesd-what-if-anyone-can-be-you\/\">identityservicesd: What If Anyone Can Be You?<\/a>, <a href=\"https:\/\/mjtsai.com\/blog\/2017\/12\/20\/explanation-of-homekit-vulnerability\/\">Explanation of HomeKit Vulnerability<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Siguza (via Patrick Wardle, Hacker News): This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r\/w and can be exploited by any unprivileged user.[&#8230;]The thing is that between this line:eop-&gt;evGlobalsOffset = sizeof(EvOffsets); and this one: evg = (EvGlobals *)((char *)shmem_addr + eop-&gt;evGlobalsOffset);The value of eop-&gt;evGlobalsOffset can change, which will then cause [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[159,131,845,30,281,1529,71,48,1235],"class_list":["post-20012","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-applescript","tag-bug","tag-kernel","tag-mac","tag-mach","tag-macos-10-13","tag-programming","tag-security","tag-system-integrity-protection"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20012"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20012\/revisions"}],"predecessor-version":[{"id":20013,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20012\/revisions\/20013"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}