Posted by Ian Beer
A couple of weeks ago Apple released OS X 10.9.5 and iOS 8 which fixed a number of sandbox escapes and privilege escalation bugs found by Project Zero. All-bar-one of these bugs were found via manual source code auditing where there was source and binary analysis where there wasn’t. As always, click through the bugs for proof-of-concept code and further details:
CVE-2014-4403* [ https://code.google.com/p/google-security-research/issues/detail?id=23 ] was as issue allowing a kernel ASLR bypass on OS X due to insufficient randomization of very early kernel heap allocations, the addresses of which could be leaked using the unprivileged SGDT instruction. This bug could be exploited from within any sandbox on OS X and allowed an attacker to determine the load address of the kernel.
CVE-2014-4394* [ https://code.google.com/p/google-security-research/issues/detail?id=28 ]
CVE-2014-4395* [ https://code.google.com/p/google-security-research/issues/detail?id=29 ]
CVE-2014-4401* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4396* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4397* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4400* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4399* [ https://code.google.com/p/google-security-research/issues/detail?id=30 ]
CVE-2014-4398* [ https://code.google.com/p/google-security-research/issues/detail?id=32 ]
CVE-2014-4416* [ https://code.google.com/p/google-security-research/issues/detail?id=34 ]
were all bounds-checking bugs in the driver for the Intel integrated HD GPU present on all current-generation Macs. Eight of these bugs allowed controlled kernel memory corruption from with most sandboxes on OS X (those with access to the GPU such as the Safari renderer process or the Chrome GPU process.)
CVE-2014-4402* [ https://code.google.com/p/google-security-research/issues/detail?id=33 ] was another case of missing bounds checks, this time in another part of the graphics acceleration pipeline.
CVE-2014-4376* [ https://code.google.com/p/google-security-research/issues/detail?id=31 ] was a kernel NULL-pointer dereference when setting up IOKit shared memory. This was exploitable from within some sandboxed 32-bit processes on OS X (for example the Chrome GPU process.) As is true with all these bugs this bug also allows any unsandboxed processes to execute code in the kernel.
CVE-2014-4418 [ https://code.google.com/p/google-security-research/issues/detail?id=36 ]
No CVE* [ https://code.google.com/p/google-security-research/issues/detail?id=35 ]
were bugs affecting OS X and iOS in the implementation of the IOKit IODataQueue class where the kernel trusted index and size fields in shared memory which was mapped into userspace and writable. Looking at the release notes for iOS 8 these bugs seem to be very similar to one used in the recent Pangu Team jailbreak which was released a few days after these bugs were reported to Apple.
CVE-2014-4389 [ https://code.google.com/p/google-security-research/issues/detail?id=39 ]
were integer overflows in the bounds checking code of IODataQueue allowing kernel memory corruption on iOS and OS X.
CVE-2014-4390 [ https://code.google.com/p/google-security-research/issues/detail?id=37 ]
was another shared memory queuing bug, this time in the bluetooth stack.
CVE-2014-4404+ [ https://code.google.com/p/google-security-research/issues/detail?id=40 ]
was an interesting kernel heap overflow when parsing a binary keyboard map which affected iOS and OS X and was reachable by setting an IOKit registry value. See the linked bug for more details along with a PoC demonstrating kernel instruction pointer control.
CVE-2014-4379 [ https://code.google.com/p/google-security-research/issues/detail?id=42 ]
was another bug in the keyboard mapping code affecting iOS and OS X allowing userspace to read arbitrary kernel memory.
CVE-2014-4405+ [ https://code.google.com/p/google-security-research/issues/detail?id=41 ]
was a kernel NULL pointer dereference due to incorrect error handling in the key map parsing code, again see the linked bug for a PoC demonstrating kernel instruction pointer control on OS X.
Finding and eliminating sandbox escapes is an important focus for Project Zero. The attack surface to break out of a sandbox is often smaller than the attack surface available to remote attackers to gain an initial foothold inside a sandbox. Therefore, strengthening sandboxes represents a solid return on investment of time.
Our research seems to indicate that sandbox break-outs on OS X and iOS are an under-researched topic. We’d encourage others to join us in bringing these sandboxes up to strength.
You can keep up-to-date with the latest Project Zero research by subscribing to labels in our bug tracker: https://code.google.com/p/google-security-research/issues/subscriptions
(*) These bugs exceeded Project Zero’s standard 90-day disclosure deadline.
(+) These bugs were only fixed on iOS and remain unpatched on OS X.