Vulnerability Spotlight: Multiple apple IntelHD5000 privilege escalation vulnerabilities

TalosIntelligence

Security / TalosIntelligence 89 Views 0


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive Summary

A memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of Apple OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.

Vulnerability Details

IntelHD5000 use-after-free vulnerability (TALOS-2018-0614/CVE-2018-4451, CVE-2018-4456)

Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between user space and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. Therefore, this kernel extension is used in graphics rendering and processing throughout and is subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox creating a larger potential attack surface.

A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits class from a UserClient and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.

For additional information, please see the advisory here.

IntelHD5000 use-after-free vulnerability& (TALOS-2018-0615/CVE-2018-4421)

Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between userspace and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. This kernel extension is used in graphics rendering and processing throughout and is the subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox, creating a larger potential attack surface.

A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits from a UserClient class and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.

For additional information, please see the advisory here.

Versions Tested

OS X 10.13.4 - MacBookPro11.4

Conclusion

As this vulnerability can be triggered potentially via the Safari web browser, it’s always important for users to understand that impacted software, drivers and libraries are widely used throughout an operating system’s own ecosystem. Privilege escalations can allow an attacker to move from an untrusted user account to a trusted system account within the operating system, which can allow for administrative access and therefore allows adversaries to carry out malicious actions.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 46858 - 46859

Comments