Apple macos sierra 10.12.1 physmem local privilege escalation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2017-01-16 |
Type : local |
Platform : macos
This exploit / vulnerability Apple macos sierra 10.12.1 physmem local privilege escalation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
## physmem
<!-- Brandon Azad -->
physmem is a physical memory inspection tool and local privilege escalation targeting macOS up
through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment
target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the
same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively.
Because these are logic bugs, exploitation is incredibly reliable. I have not yet experienced a
panic in the tens of thousands of times I've run a program (correctly) exploiting these
vulnerabilities.
### CVE-2016-1825
CVE-2016-1825 is an issue in IOHIDevice which allows setting arbitrary IOKit registry properties.
In particular, the privileged property IOUserClientClass can be controlled by an unprivileged
process. I have not tested platforms before Yosemite, but the vulnerability appears in the source
code as early as Mac OS X Leopard.
### CVE-2016-7617
CVE-2016-7617 is an almost identical issue in AppleBroadcomBluetoothHostController. This
vulnerability appears to have been introduced in OS X El Capitan. It was reported by Ian Beer of
Google's Project Zero (issue [974]) and Radu Motspan.