Among the bugs that Apple patched in OS X 10.11.5 is CVE-2016-1828,
a use-after-free I discovered late last year while looking through the kernel
source. Combined with CVE-2016-1758, an information leak patched in
10.11.4, this vulnerability can be used to execute arbitrary code in the
kernel. In this post I’ll document how I created rootsh, a local privilege
escalation for OS X 10.10.5 (14F27).
CVE-2016-1828 is a use-after-free in the function OSUnserializeBinary
. By
passing a crafted binary blob to this function, it is possible to invoke a
virtual method on an object with a controlled vtable pointer. I leveraged the
use-after-free to create a NULL pointer dereference, allowing the vtable and
the ROP stack to live in user space.
CVE-2016-1758 is a kernel stack disclosure in the function if_clone_list
. 8
bytes of uninitialized kernel stack are copied to user space. Those bytes can
be initialized to a known location within the kernel text segment by invoking a
system call prior to triggering the disclosure. After leaking the text segment
pointer, the kernel slide can be computed by subtracting the base address of
that particular text segment location from the leaked address.