CVE-2015-3693

macOS < 10.10.3 - Denial of Service via Rowhammer Attack

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-3693. PoCs published by Google Security Research.

AI-analyzed exploit summary This PoC exploits the DRAM 'rowhammer' vulnerability to escape Native Client's x86-64 sandbox by inducing bit flips in read-only code. It leverages the CLFLUSH instruction to manipulate memory, bypassing NaCl's validator.

Description

Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and other products, does not properly set refresh rates for DDR3 RAM, which might make it easier for remote attackers to conduct row-hammer attacks, and consequently gain privileges or cause a denial of service (memory corruption), by triggering certain patterns of access to memory locations.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocallinux_x86-64

https://www.exploit-db.com/exploits/36311

View Code ZIP pw:eip

This PoC exploits the DRAM 'rowhammer' vulnerability to escape Native Client's x86-64 sandbox by inducing bit flips in read-only code. It leverages the CLFLUSH instruction to manipulate memory, bypassing NaCl's validator.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Native Client (NaCl) x86-64 sandbox

No auth needed

Prerequisites: Vulnerable DRAM hardware · CLFLUSH instruction enabled in NaCl

MITRE ATT&CK