vendor:
macOS
by:
ianbeer
7,8
CVSS
HIGH
Use-After-Free
416
CWE
Product Name: macOS
Affected Version From: macOS 10.12.3 (16D32)
Affected Version To: macOS 10.12.3 (16D32)
Patch Exists: YES
Related CWE: N/A
CPE: o:apple:mac_os_x:10.12.3
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: MacbookAir5,2
2016
MacOS/iOS kernel uaf in necp_open
The necp_open syscall is used to obtain a new necp file descriptor. The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap. The bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c) another thread can call close on the new fd which will free fd_data before we enqueue it at (e).
Mitigation:
Apple has released a patch for this vulnerability in macOS 10.12.4.
