Menu

Search for hundreds of thousands of exploits

"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation"

Author

"Brandon Azad"

Platform

macos

Release date

2017-01-16

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
## physmem

<!-- Brandon Azad -->

physmem is a physical memory inspection tool and local privilege escalation targeting macOS up
through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment
target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the
same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively.

[CVE-2016-1825]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1825
[CVE-2016-7617]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7617
[10.11.5]: https://support.apple.com/en-us/HT206567
[10.12.2]: https://support.apple.com/en-us/HT207423

Because these are logic bugs, exploitation is incredibly reliable. I have not yet experienced a
panic in the tens of thousands of times I've run a program (correctly) exploiting these
vulnerabilities.

### CVE-2016-1825

CVE-2016-1825 is an issue in IOHIDevice which allows setting arbitrary IOKit registry properties.
In particular, the privileged property IOUserClientClass can be controlled by an unprivileged
process. I have not tested platforms before Yosemite, but the vulnerability appears in the source
code as early as Mac OS X Leopard.

### CVE-2016-7617

CVE-2016-7617 is an almost identical issue in AppleBroadcomBluetoothHostController. This
vulnerability appears to have been introduced in OS X El Capitan. It was reported by Ian Beer of
Google's Project Zero (issue [974]) and Radu Motspan.

[974]: https://bugs.chromium.org/p/project-zero/issues/detail?id=974

### Building

Build physmem by specifying your deployment target on the command line:

    $ make MACOSX_DEPLOYMENT_TARGET=10.10.5

### Running

You can read a word of physical memory using the read command:

    $ ./physmem read 0x1000
    a69a04f2f59625b3

You can write to physical memory using the write command:

    $ ./physmem write 0x1000 0x1122334455667788
    $ ./physmem read 0x1000
    1122334455667788

You can exec a root shell using the root command:

    $ ./physmem root
    sh-3.2# whoami
    root

### License

The physmem code is released into the public domain. As a courtesy I ask that if you reference or
use any of this code you attribute it to me.


Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44237.zip
Release Date Title Type Platform Author
2019-08-05 "macOS iMessage - Heap Overflow when Deserializing" dos macos "Google Security Research"
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/44237/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/44237/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/44237/9855/apple-macos-sierra-10121-physmem-local-privilege-escalation/download/", "exploit_id": "44237", "exploit_description": "\"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation\"", "exploit_date": "2017-01-16", "exploit_author": "\"Brandon Azad\"", "exploit_type": "local", "exploit_platform": "macos", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse