vendor:
Mac OS X
by:
Exploit Database
7,8
CVSS
HIGH
Privilege Escalation
20, 416
CWE
Product Name: Mac OS X
Affected Version From: OS X Yosemite 10.10.5 build 14F27
Affected Version To: OS X El Capitan 10.11.4 and 10.11.5
Patch Exists: YES
Related CWE: CVE-2016-1758, CVE-2016-1828
CPE: o:apple:mac_os_x
Metasploit:
https://www.rapid7.com/db/vulnerabilities/apple-osx-kernel-cve-2016-1758/, https://www.rapid7.com/db/vulnerabilities/apple-ios-cve-2016-1758/, https://www.rapid7.com/db/vulnerabilities/apple-osx-kernel-cve-2016-1827/, https://www.rapid7.com/db/vulnerabilities/apple-osx-kernel-cve-2016-1828/, https://www.rapid7.com/db/vulnerabilities/apple-osx-kernel-cve-2016-1829/, https://www.rapid7.com/db/vulnerabilities/apple-osx-kernel-cve-2016-1830/
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: OS X
2016
rootsh
rootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build 14F27. It exploits CVE-2016-1758 and CVE-2016-1828, two vulnerabilities in XNU that were patched in OS X El Capitan 10.11.4 and 10.11.5. CVE-2016-1758 is an information leak caused by copying out uninitialized bytes of kernel stack to user space. By comparing leaked kernel pointers with fixed reference addresses it is possible to recover the kernel slide. CVE-2016-1828 is a use-after-free during object deserialization. By passing a crafted binary-serialized dictionary into the kernel, it is possible to trigger a virtual method invocation on an object with a controlled vtable pointer.
Mitigation:
Upgrade to OS X El Capitan 10.11.4 or 10.11.5
