CVE-2015-6995

Apple iOS < 9.1 and OS X < 10.11.1 - Remote Code Execution via Disk Images Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6995. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages an integer overflow in IOHDIXControllerUserClient::convertClientBuffer to trigger an undersized kalloc allocation, leading to a kernel heap overflow. The PoC attempts to exploit this by passing a size of 0xffffffff, causing an overflow and potentially allowing arbitrary kernel memory corruption.

Description

The Disk Images component in Apple iOS before 9.1 and OS X before 10.11.1 misparses images, which allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted app.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdososx

https://www.exploit-db.com/exploits/39381

View Code ZIP pw:eip

This exploit leverages an integer overflow in IOHDIXControllerUserClient::convertClientBuffer to trigger an undersized kalloc allocation, leading to a kernel heap overflow. The PoC attempts to exploit this by passing a size of 0xffffffff, causing an overflow and potentially allowing arbitrary kernel memory corruption.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Apple macOS IOHDIXController (likely affecting multiple versions)

No auth needed

Prerequisites: Access to a vulnerable macOS system with the IOHDIXController service

MITRE ATT&CK