多款Apple产品安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1611241 漏洞类型 资源管理错误
发布时间 2019-05-13 更新时间 2019-05-13
CVE编号 CVE-2019-8605 CNNVD-ID CNNVD-201905-526
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://www.securityfocus.com/bid/108481
https://cxsecurity.com/issue/WLB-2019050246
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201905-526
|漏洞详情
Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple tvOS是一套智能电视操作系统。Apple macOS Mojave是一套专为Mac计算机所开发的专用操作系统。Kernel是其中的一个内核组件。 多款Apple产品中的Kernel组件存在资源管理错误漏洞。该漏洞源于网络系统或产品对系统资源(如内存、磁盘空间、文件等)的管理不当。以下产品及版本受到影响:Apple iOS 12.3之前版本;macOS Mojave 10.14.5之前版本;tvOS 12.3之前版本;watchOS 5.2.1之前版本。
|漏洞EXP
XNU: Use-after-free due to stale pointer left by in6_pcbdetach 

Related CVE Numbers: CVE-2019-8605Fixed-2019-May-13.


# Reproduction
Repros on 10.14.3 when run as root. It may need multiple tries to trigger.
$ clang -o in6_selectsrc in6_selectsrc.cc
$ while 1; do sudo ./in6_selectsrc; done
res0: 3
res1: 0
res1.5: -1 // failure expected here
res2: 0
done
...
[crash]

# Explanation
The following snippet is taken from in6_pcbdetach:
```
void
in6_pcbdetach(struct inpcb *inp)
{
    // ...
\tif (!(so->so_flags & SOF_PCBCLEARING)) {
\t\tstruct ip_moptions *imo;
\t\tstruct ip6_moptions *im6o;

\t\tinp->inp_vflag = 0;
\t\tif (inp->in6p_options != NULL) {
\t\t\tm_freem(inp->in6p_options);
\t\t\tinp->in6p_options = NULL; // <- good
\t\t}
\t\tip6_freepcbopts(inp->in6p_outputopts); // <- bad
\t\tROUTE_RELEASE(&inp->in6p_route);
\t\t// free IPv4 related resources in case of mapped addr
\t\tif (inp->inp_options != NULL) {
\t\t\t(void) m_free(inp->inp_options); // <- good
\t\t\tinp->inp_options = NULL;
\t\t}
```

Notice that freed options must also be cleared so they are not accidentally reused.
This can happen when a socket is disconnected and reconnected without being destroyed.
In the inp->in6p_outputopts case, the options are freed but not cleared, so they can be
used after they are freed.

This specific PoC requires root because I use raw sockets, but it's possible other socket
types suffer from this same vulnerability.

# Crash Log
panic(cpu 4 caller 0xffffff8015cda29d): Kernel trap at 0xffffff8016011764, type 13=general protection, registers:
CR0: 0x0000000080010033, CR2: 0x00007f9ae1801000, CR3: 0x000000069fc5f111, CR4: 0x00000000003626e0
RAX: 0x0000000000000001, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000000000, RDX: 0x0000000000000000
RSP: 0xffffffa3ffa5bd30, RBP: 0xffffffa3ffa5bdc0, RSI: 0x0000000000000000, RDI: 0x0000000000000001
R8:  0x0000000000000000, R9:  0xffffffa3ffa5bde0, R10: 0xffffff801664de20, R11: 0x0000000000000000
R12: 0x0000000000000000, R13: 0xffffff80719b7940, R14: 0xffffff8067fdc660, R15: 0x0000000000000000
RFL: 0x0000000000010282, RIP: 0xffffff8016011764, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x00007f9ae1801000, Error code: 0x0000000000000000, Fault CPU: 0x4, PL: 0, VF: 0

Backtrace (CPU 4), Frame : Return Address
0xffffff801594e290 : 0xffffff8015baeb0d mach_kernel : _handle_debugger_trap + 0x48d
0xffffff801594e2e0 : 0xffffff8015ce8653 mach_kernel : _kdp_i386_trap + 0x153
0xffffff801594e320 : 0xffffff8015cda07a mach_kernel : _kernel_trap + 0x4fa
0xffffff801594e390 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0
0xffffff801594e3b0 : 0xffffff8015bae527 mach_kernel : _panic_trap_to_debugger + 0x197
0xffffff801594e4d0 : 0xffffff8015bae373 mach_kernel : _panic + 0x63
0xffffff801594e540 : 0xffffff8015cda29d mach_kernel : _kernel_trap + 0x71d
0xffffff801594e6b0 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0
0xffffff801594e6d0 : 0xffffff8016011764 mach_kernel : _in6_selectsrc + 0x114
0xffffffa3ffa5bdc0 : 0xffffff8016043015 mach_kernel : _nd6_setdefaultiface + 0xd75
0xffffffa3ffa5be20 : 0xffffff8016120274 mach_kernel : _soconnectlock + 0x284
0xffffffa3ffa5be60 : 0xffffff80161317bf mach_kernel : _connect_nocancel + 0x20f
0xffffffa3ffa5bf40 : 0xffffff80161b62bb mach_kernel : _unix_syscall64 + 0x26b
0xffffffa3ffa5bfa0 : 0xffffff8015b5c466 mach_kernel : _hndl_unix_scall64 + 0x16

BSD process name corresponding to current thread: in6_selectsrc
Boot args: keepsyms=1 -v=1

Mac OS version:
18D109

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.



Found by: nedwill@google.com

|受影响的产品
Apple watchOS 5.2.1 Apple tvOS 12.3 Apple macOS 10.14.5 Apple macOS Security Update 2019 Apple macOS Security Update 2019 Apple iOS 12.3
|参考资料

来源:support.apple.com

链接:https://support.apple.com/en-au/HT210122


来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/80842


来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/152847/Apple-Security-Advisory-2019-5-13-4.html