CVE-2016-1863

HIGH

Apple iOS <9.3.3, OS X <10.11.6, tvOS <9.2.2, watchOS <2.2.2 - Pri...

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1863. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a use-after-free (UaF) vulnerability in IOBluetoothHCIUserClient in macOS. It forks a child process, passes its task port to the parent, kills the child to free the task struct, and then triggers the UaF via an external method call on the user client.

Description

The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4582 and CVE-2016-4653.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdososx

https://www.exploit-db.com/exploits/40652

View Code ZIP pw:eip

This exploit demonstrates a use-after-free (UaF) vulnerability in IOBluetoothHCIUserClient in macOS. It forks a child process, passes its task port to the parent, kills the child to free the task struct, and then triggers the UaF via an external method call on the user client.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: macOS (tested on OS X 10.11.5)

No auth needed

Prerequisites: Bluetooth must be enabled · Requires macOS with vulnerable IOBluetoothFamily.kext

MITRE ATT&CK