Mac OS X 10.10.2 kernel extension heap overflow resulting in LPE

Posted by Luca Todesco on Mar 19

Hello,

I have recently found an exploitable heap overflow in a core OS X driver.
Particularly, the injectString function is vulnerable to an heap overflow and can be triggered without privileges of
any kind.

The vulnerable function can be seen at 
http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp

I wrote a weaponized poc at http://github.com/kpwn/vpwn.

The KASLR leak included is…

Leave a Reply