CVE-2016-1823

HIGH

Apple tvOS < 9.2.1 - Out-of-bounds Read via IOHIDDevice::handleReportWithTime

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1823. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates an out-of-bounds (OOB) read vulnerability in IOHIDFamily on macOS due to insufficient bounds checking when casting an integer to an IOHIDReportType enum. The PoC triggers the vulnerability by passing a large scalar value (0xe0000000) to IOConnectCallMethod, leading to an OOB read and potential kernel panic.

Description

The IOHIDDevice::handleReportWithTime function in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read and memory corruption) via a crafted IOHIDReportType enum, which triggers an incorrect cast, a different vulnerability than CVE-2016-1824.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdososx

https://www.exploit-db.com/exploits/39927

View Code ZIP pw:eip

This exploit demonstrates an out-of-bounds (OOB) read vulnerability in IOHIDFamily on macOS due to insufficient bounds checking when casting an integer to an IOHIDReportType enum. The PoC triggers the vulnerability by passing a large scalar value (0xe0000000) to IOConnectCallMethod, leading to an OOB read and potential kernel panic.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: macOS IOHIDFamily (tested on OS X 10.11.4)

No auth needed

Prerequisites: Access to a vulnerable macOS system with the AppleUSBTCButtons driver

MITRE ATT&CK