CVE-2019-8540 PoC — 多款Apple产品Kernel组件安全漏洞

Source

https://github.com/maldiohead/CVE-2019-8540

Associated Vulnerability

Title:多款Apple产品Kernel组件安全漏洞 (CVE-2019-8540)
Description:Apple iOS等都是美国苹果（Apple）公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple tvOS是一套智能电视操作系统。Kernel是其中的一个内核。Apple macOS Mojave是一套专为Mac计算机所开发的专用操作系统。 Apple iOS 12.2之前版本、tvOS 12.2之前版本和macOS Mojave 10.14.4之前版本中的Kernel组件存在安全漏洞。攻击者可借助恶意的应用程序利用该漏洞确定内核内存的布局。

Description

Kernel Stack info leak at exportObjectToClient function

Readme

# CVE-2019-8540
Kernel Stack info leak at exportObjectToClient function

 bug details:
 
 macOS<=10.14.3 && iOS < 12.2
 
 
There is a bug at Function exportObjectToClient  in  IOKit class, which can lead to  leak 4 bytes of kernel stack info.
exportObjectToClient  just like its name which make an arbitrary OSObject available to the client task.It’s a basic  function, many other kernel  function use it .

   
`IOReturn IOUserClient::exportObjectToClient(task_t task, OSObject *obj, io_object_t *clientObj)`

`{`
    `mach_port_name_t name;    
    name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_OBJECT );`
    `*(mach_port_name_t *)clientObj = name; // (1). force the type convert to mach_port_name_t` 
    `if (obj) obj->release();`
    `return kIOReturnSuccess;`
`}`

We know io_object_t length is 8 bytes  and at (1) which  was  force convert to mach_port_name_t(4 bytes) ,so lead to  the high 4 bytes not inital

File Snapshot


 [4.0K]  /data/pocs/2979c3ca131278174aa9d3934560e4ce9f75d667
├── [2.3K]  poc.c
└── [ 937]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!