Google has released MAC security flaw found by the Project Security Team. The team has released two unpatched vulnerabilities in OS X. The exploits help attackers control users MAC. It’s not Google’s fault, if an exploit is not patched within 90 days then it should be published online.
I wrote a little program to run over every IOKit IOService userclient type from 1 to 100 and just call IOConnectMapMemory for all the memory type values from 1 to 1000.
Calling IOConnectMapMemory on userclient type 2 of “IntelAccelerator” with memory type 3 hits an exploitable kernel NULL pointer dereference calling a virtual function on an object at 0x0.
Attached PoC exploits this to get root.
hummm, reading the Yosemite security bulletin this sounds a lot like CVE-2014-4373, upgrading to Yosemite now to check before I report this.
Verified that the bug is still there in Yosemite, attached a PoC crasher for 10.10.
The kASLR defeat in ig_2_3_exploit.c looks to have been patched in 10.10 however so that doesn’t work.