Posted by info on Mar 19
Hello,
I have recently found an exploitable heap overflow in a core OS X driver.
Particularly, the injectString function is vulnerable to an heap overflow and can be triggered without privileges of
any kind.
The vulnerable function can be seen at
http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp
I wrote a weaponized poc at http://github.com/kpwn/vpwn.
The KASLR leak is not reliable….