Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Multiple vulnerabilities in AppleMCCS

  • Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
  • Notification date: 07/04/2015
  • Release date: 30/06/2015
  • Status: Fixed in OS X 10.10.4

Dereference of a controlled pointer and LPE issue in AppleMCCS


We identified a dereference of a user-space fed pointer in method AppleMCCSControlFamily::ioRegisterEventHandler() (from kext AppleMCCSControl). This issue can be leveraged by an attacker to cause a local denial-of-service, if an invalid pointer is provided.

Furthermore, we discovered that this issue may be exploited to mount an LPE attack, if an I2C device is currently plugged in the victim's computer. By registering a specially crafted event handler through AppleMCCSControlFamily::ioRegisterEventHandler(), and later invoking either AppleMCCSControlFamily::ioSetTable() or AppleMCCSControlFamily::ioSetCurrent(), AppleMCCSControlFamily::dispatchMCCSEventNotification() will eventually be invoked. This function will invoke a user-provided function pointer, possibly leading to a LPE attack.

Kernel address leak in AppleMCCSControl


We identified a kernel memory address leak in method AppleMCCSControlFamily::ioRegisterEventHandler() (from kext AppleMCCSControl). When invoked from userspace, this method returns a pointer to an allocated in-kernel object. This information may be used by an attacker to calculate the kSlide parameter and defeat KASLR.