Cisco Talos, security analysts have discovered the flaws in the IntelHD5000 kernel extension utilized in Apple OSX 10.13 could be employed for privilege escalation. The use after free memory fraudulence problems present in the kernel extension when managing with graphics supplies inside of macOS High Sierra. Exploitation of the flaws would demand for a collection to be fit into the VLC media application to reason an out of bounds approach inside of the KEXT – Kernel Extension.
Apple’s macOS platform provides numerous dissimilar GPU versions with various kernel extensions accessible to make sure appropriate action between the kernel and user space. The particular kernel extension is utilized in graphics supplying and processing along with the retina MacBook Pro transported with an Apple Intel HD 5000 processor. However, the extension is matter to a use after free privilege escalation flaw.
The security analysts say that the vulnerabilities are also accessible from inside the Safari sandbox, which identifies that the threat surface is possibly much bigger. They also claim to have discovered a third issue, but no CVE number has been assigned yet. Talos explains that the kernel extension employs a confined subset language and a perfect way of communication between user-space and the kernel known as IOKit.
Different types can be moved in to relate to various users saved under the similar umbrella name while an IOKit extension submitting its own processes to manage user interaction. The flaws are fundamentally the similar, with the primary variation between them being the worth that can be renewed and the worth they can be regenerated with.
The execute operation managing the information buffers achieves and approaches an object, however also checks that the information is not null. If the check neglects, the asset aim is approached again and a new value is got back and then utilized straightaway without any additional confirmation.
“This object is a reference to the object passed into delete above, creating a use-after-free scenario. This can be leveraged by an attacker to execute arbitrary code in the context of the kernel. The attacker also has a large window of time to set up the attack as the execute function above is actually triggered from user space as well,” the security researchers explain.
The problems were identified in Apple OS X 10.13.4 functioning on MacBookPro11.4. Fixes were announced in December 2018.
“As this vulnerability can be triggered potentially via the Safari web browser, it’s always important for users to understand that impacted software, drivers and libraries are widely used throughout an operating system’s own ecosystem,” Talos concludes.