By Juwei Lin
Apple posted security updates for macOS vulnerabilities, two of which were disclosed by Trend Micro. CVE-2019-8519 is a bug in the graphic drivers installed in macOS Mojave 10.14.3 involving out-of-bound memory reading (OOB). The vulnerability can allow access to restricted information as it leads to a buffer overflow or segmentation fault. CVE-2019-8529 is present in the IOKit SCSI found in macOS High Sierra 10.13.6 and Mojave 10.14.3 for out-of-boundary write (OOW) vulnerability. Both flaws may be abused to escalate privileges, modify memory or registries, or open systems for denial of service (DoS) attacks.
CVE-2019-8519 can be used to crash the kernel or leak kernel heap memory by creating a struct and copying more data from the input heap to the newly created buffer. From our proof-of-concept (PoC) to test the OOB flaw, we found that the s_new-resource arguments passed, initialized new_resource without further checks, and allocated entrybuffer block by block without checking the source memory length once the graphic driver (an AMD Radeon X4000 Series graphic card driver) was initialized.
Figure 1. A PoC code segment of CVE-2019-8519 with the graphic card driver flaw abused.
With CVE-2019-8529, the SCSITaskUserClient externalMethod selector 4 is unable to check the value of scalarInput, and attackers may assign the value directly passed to ReleaseTaskReference. As it references the value from the attacker as an index at location (a), it can lead to OOW, as shown in a section of our PoC and panic log. When exploited, this allows unauthorized access to write data or commands past the end or before the beginning of the buffer, perform pointer arithmetic, or modify an index from a memory location outside of the buffer to produce unexpected results.
Figure 2. Location (a) and a PoC code segment of CVE-2019-8529 with trigger().
Figure 3. Kernel panic log section from OOW.
Attackers can use both vulnerabilities to enter and attack unpatched macOS systems and compromise machines with escalated admin privileges. Users of the affected versions are advised to download the released patches as soon as possible, including the updates announced from Apple’s macOS security content. Users can also install a multilayered protection system to detect and block attack attempts using these flaws.
Additional insights by Aleksandr Tarasikov and Junzhi Lu of ZDI.