CVE-2016-1794

HIGH

macOS < 10.11.5 - Remote Code Execution via AppleGraphicsControlClient::checkArguments

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1794. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a race condition in AppleMuxControl.kext to trigger a NULL pointer dereference in the kernel, allowing arbitrary kernel RIP control by mapping the NULL page in userspace. It targets macOS 10.11.4 via a thread race between IOServiceClose and an IOKit method call.

Description

The AppleGraphicsControlClient::checkArguments method in AppleGraphicsControl in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdososx

https://www.exploit-db.com/exploits/39922

View Code ZIP pw:eip

This exploit leverages a race condition in AppleMuxControl.kext to trigger a NULL pointer dereference in the kernel, allowing arbitrary kernel RIP control by mapping the NULL page in userspace. It targets macOS 10.11.4 via a thread race between IOServiceClose and an IOKit method call.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Apple macOS 10.11.4 (15E65) with AppleMuxControl.kext

No auth needed

Prerequisites: macOS 10.11.4 (15E65) · Access to AppleMuxControl.kext · Ability to map the NULL page in userspace

MITRE ATT&CK