Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


LPE Issue in IOBluetoothHCIUserClient

  • Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
  • Notification date: 09/03/2015
  • Release date: 30/06/2015
  • Status: Fixed in OS X 10.10.4


We identified a LPE issue on OSX Yosemite (10.10.2). Briefly, it appears it is possible to trigger the bug by putting one HCIRequest in the waiting queue and then closing the connection to the service (or terminating the calling process).

As an example, a request can be put in the waiting queue by sequentially invoking DispatchHCIBluetoothHCIWriteCurrentIACLAP() and DispatchHCIBluetoothHCIReadCurrentIACLAP(). Requests in this queue will eventually be processed by function ProcessWaitingRequests(). However, it appears that, if this function is invoked while the user-space process closes the connection to the service (or terminates), the request that is being handled is corrupted/destroyed, and this may lead to unexpected behaviors in ProcessWaitingRequests().

Our proof-of-concept exploits this problem to reliably redirect the execution to address 0x0. Obviously this PoC could be further elaborated to allow an attacker to perform a LPE attack.