Some question about CVE-2016-1803

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Some question about CVE-2016-1803

Postby chengyang » Fri Aug 05, 2016 6:22 am

If any one has insterset about CVE-2016-1803, an arbitrarily code execution vulnerability on OS X 10.11.4, plz have a look at https://bugs.chromium.org/p/project-zero/issues/detail?id=777&can=2&start=0&num=100&q=&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&groupby=&sort=

I compiled the CoreCaptureNull.c and run the program, but no panic happpens.
When I go through the POC code, I found it make an IOKit call of the NO.0 selector of IOAudioEngine, but as the description, the exploit should triggered by "CoreCaptureUserClient::stashGet".

So I find that there is an kext called corecapture
Code: Select all
graysn0wdeMac:~ graysn0w$ kextstat | grep apture
   82    1 0xffffff7f818e9000 0x22000    0x22000    com.apple.driver.corecapture (1.0.4) 16BA9642-2B81-3FEC-BB6F-FE8E8039DDDF <7 6 5 4 3 1>
   83    0 0xffffff7f81913000 0x7000     0x7000     com.apple.driver.CoreCaptureResponder (1) D71C8900-BCBC-3B5D-9F9C-077C3B29DF70 <82 7 6 5 4 3 1>


I guess if the POC is wrong and I replace IOAudioEngine with corecapture or CoreCaptureResponder, I don't know the number of stashGet selector, but I 'm just failed finding the corecapture service or CoreCaptureResponder connection...

So confused, Any suggestion please? You can use
Code: Select all
 gcc -m32 -Wl,-pagezero_size,0 -O3 -framework IOKit CoreCaptureNull.c
to compile it.
Thank you.
chengyang
 
Posts: 14
Joined: Wed Aug 03, 2016 7:44 am

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests