Shulou(Shulou.com)05/31 Report--

The purpose of this article is to share with you the content of an example analysis of the OOB write privilege enhancement vulnerability CVE-2020-27897 in the APPLE MACOS kernel. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

It is for reference and study only.

Loophole analysis

Communication between user space and Intel kernel drivers is done using IOConnectCallMethod, while IOConnectCallMethod eventually uses Mach messages. IntelMTRenderFunctions is a class that handles kernel commands from the client to render UI information through the execute () method. Each kernel command is identified by a numeric value, and in our example, we will focus on the command 0x10005. In addition to the kernel command number, execute () can also accept data from the client buffer. The offset in this buffer is used to generate the arithmetic operation of the structural address, which occurs without boundary checking and triggers an out-of-bounds write vulnerability.

The code path IntelMTLRenderFunctions::execute () is described as follows: the user-space client can create two shared memory maps by calling the IOAccelSharedUserClient2::create_shmem () function, which is provided by another kernel extension, IOAcceleratorFamily2. The first memory map is used as the segment descriptor of the request, while the second memory map contains a command buffer. The create_shmem () function registers the mappings with a unique ID and returns them, and then passes these ID to IOAccelCommandQueue::s_submit_command_buffers () along with the kernel command buffer, which has a rough structure (array) as follows:

Struct command {uint32_t type; uint32_t size; uint8_t * cmd;}

The array is then split and eventually passed to IGAccelCommandQueue::processKernelCommand () with a kernel command structured as follows:

Struct command {uint32_t cmd_id; / / 0x10005 uint32_t size; uint32_t offset; / / the offset that causes no boundary check uint32_t loop_counter; uint32_t zero1; uint32_t zero2; uint32_t controlled_value; / / controlled value which can be written to the offset uint32_t zero3;}

Next, it will be passed to IntelMTLRenderFunctions::execute () in AppleIntelKBLGraphics and handle the kernel command 0x10005:

The following is an exploit PoC for this vulnerability:

Summary

Vulnerabilities in kernel drivers are always very interesting, and their attack vectors often need to be accompanied by remote code execution vulnerabilities. Once this vulnerability exists, it is possible to cause the target device to be completely taken over by the attacker.

Thank you for reading! This is the end of the article on "example Analysis of the vulnerability CVE-2020-27897 for improving the write permissions of APPLE MACOS Kernel OOB". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.