securitylab/SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/observations/polkit_sequence.txt at xnu-macos10.13.6-codeql-database · github/securitylab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
This sequence of events is derived from the tracing data gathered
in logentries and checkauthdata_table (see info.txt).

000: user_get_fallback_value (Language)
001: user_get_fallback_value (FormatsLocale)
002: 0x0000564cfbd1f970 set language    (2x) \
003: 0x0000564cfbd1f970 set language cb (2x) /  <=== trigger bug (1st time)
004: 0x0000564cfbd0efd0 set email       (2x) \
005: 0x0000564cfbd0efd0 set email cb    (2x) /
006: 0x0000564cfbc8e4c0 set password    (5x)    <=== [vuln chunk] gets denied (051)
007: 0x0000564cfbd1f930 set email       (2x) \
008: 0x0000564cfbd1f930 set email cb    (2x) /
009: 0x0000564cfbd1e390 set password    (3x)    <=== gets denied (082)
010: 0x0000564cfbd1cc80 set email       (2x) \
011: 0x0000564cfbd1cc80 set email cb    (2x) /
012: 0x0000564cfbc81670 set password    (2x)    <=== gets denied (116)
013: 0x0000564cfbd20800 set language    (2x) \
014: 0x0000564cfbd20800 set language cb (2x) /  <=== trigger bug (2nd time)
015: 0x0000564cfbc81c10 set email       (2x) \
016: 0x0000564cfbc81c10 set email cb    (2x) /
017: 0x0000564cfbc903e0 set password    (2x)    <=== gets denied (150)
018: 0x0000564cfbc81e00 set email       (3x) \
019: 0x0000564cfbc81e00 set email cb    (3x) /
020: 0x0000564cfbd1cfe0 set password    (1x)
021: 0x0000564cfbc927e0 set email       (2x)    <=== gets approved (158)
022: 0x0000564cfbd102d0 set password    (1x)
023: 0x0000564cfbc7a600 set email       (2x)    <=== gets approved (159)
024: 0x0000564cfbd11a40 set password    (1x)
025: 0x0000564cfbd1e740 set email       (2x)    <=== gets approved (160)
026: 0x0000564cfbc7fc20 set password    (1x)
027: 0x0000564cfbd23e80 set email       (2x)    <=== gets approved (161)
028: 0x0000564cfbcd6bd0 set password    (1x)
029: 0x0000564cfbc8e4c0 set email       (5x)    <=== [vuln chunk] gets approved (162), but it also gets overwritten (061)
030: 0x0000564cfbd23f00 set password    (1x)
031: 0x0000564cfbd21cb0 set email       (1x)
032: 0x0000564cfbc83800 set password    (1x)
033: 0x0000564cfbd15f10 set email       (1x)
034: 0x0000564cfbd1f2e0 set password    (1x)
035: 0x0000564cfbd16ac0 set email       (1x)
036: 0x0000564cfbc85ce0 set password    (1x)
037: 0x0000564cfbd0f6a0 set email       (1x)
038: 0x0000564cfbc7e590 set password    (1x)
039: 0x0000564cfbd1d350 set email       (1x)
040: 0x0000564cfbd18020 set password    (1x)
041: 0x0000564cfbd17e30 set email       (1x)
042: 0x0000564cfbd13030 set password    (1x)
043: 0x0000564cfbd23ea0 set email       (1x)
044: 0x0000564cfbd17ef0 set password    (1x)
045: 0x0000564cfbd19310 set email       (1x)
046: 0x0000564cfbc81e00 set password    (3x)    <=== same pointer as 018, but probably not relevant to the exploit
047: 0x0000564cfbd26320 set email       (1x)
048: 0x0000564cfbd18100 set password    (1x)
049: 0x0000564cfbd17b60 set email       (1x)
050: 0x0000564cfbd28460 set password    (1x)
051: 0x0000564cfbc8e4c0 set password cb (5x)    <=== [vuln chunk] denied (006)
052: 0x0000564cfbd194a0 set email       (1x)
053: 0x0000564cfbd284e0 set password    (1x)
054: 0x0000564cfbd275d0 set email       (1x)
055: 0x0000564cfbd29380 set password    (1x)
056: 0x0000564cfbd21c40 set email       (1x)
057: 0x0000564cfbd19630 set password    (1x)
058: 0x0000564cfbd17d20 set email       (1x)
059: 0x0000564cfbd1c3e0 set password    (1x)
060: 0x0000564cfbd293a0 set email       (1x)
061: 0x0000564cfbc8e4c0 set password    (5x)    <=== [vuln chunk] gets approved (161) due to overwriting chunk
062: 0x0000564cfbd1e790 set email       (1x)
063: 0x0000564cfbd2aec0 set password    (1x)
064: 0x0000564cfbd2af70 set email       (1x)
065: 0x0000564cfbd2d8f0 set password    (1x)
066: 0x0000564cfbd2d9e0 set email       (1x)
067: 0x0000564cfbd2da70 set password    (1x)
068: 0x0000564cfbd262a0 set email       (1x)
069: 0x0000564cfbd2dd50 set password    (1x)
070: 0x0000564cfbd2abd0 set email       (1x)
071: 0x0000564cfbd2bc90 set password    (1x)
072: 0x0000564cfbd2cbe0 set email       (1x)
073: 0x0000564cfbd2e2d0 set password    (1x)
074: 0x0000564cfbd2ae40 set email       (1x)
075: 0x0000564cfbd2d800 set password    (1x)
076: 0x0000564cfbd2e270 set email       (1x)
077: 0x0000564cfbd30430 set password    (1x)
078: 0x0000564cfbd31210 set email       (1x)
079: 0x0000564cfbd32820 set password    (1x)
080: 0x0000564cfbd310a0 set email       (1x)
081: 0x0000564cfbd2cad0 set password    (1x)
082: 0x0000564cfbd1e390 set password cb (3x)    <=== denied (009)
083: 0x0000564cfbd1e390 set email       (3x)    <=== same pointer as 009, but probably not relevant to the exploit
084: 0x0000564cfbd262c0 set password    (1x)
085: 0x0000564cfbd2c820 set email       (1x)
086: 0x0000564cfbd31280 set password    (1x)
087: 0x0000564cfbd32d50 set email       (1x)
088: 0x0000564cfbc829a0 set password    (1x)
089: 0x0000564cfbd1ccd0 set email       (1x)
090: 0x0000564cfbd2e040 set password    (1x)
091: 0x0000564cfbd13050 set email       (1x)
092: 0x0000564cfbd352f0 set password    (1x)
093: 0x0000564cfbd35780 set email       (1x)
094: 0x0000564cfbd32c80 set password    (1x)
095: 0x0000564cfbd364d0 set email       (1x)
096: 0x0000564cfbd28480 set password    (1x)
097: 0x0000564cfbd364f0 set email       (1x)
098: 0x0000564cfbd34270 set password    (1x)
099: 0x0000564cfbd35520 set email       (1x)
100: 0x0000564cfbd32ae0 set password    (1x)
101: 0x0000564cfbd34080 set email       (1x)
102: 0x0000564cfbd34300 set password    (1x)
103: 0x0000564cfbd37310 set email       (1x)
104: 0x0000564cfbd36310 set password    (1x)
105: 0x0000564cfbd362a0 set email       (1x)
106: 0x0000564cfbd37680 set password    (1x)
107: 0x0000564cfbd35760 set email       (1x)
108: 0x0000564cfbd38300 set password    (1x)
109: 0x0000564cfbd34650 set email       (1x)
110: 0x0000564cfbd3b7e0 set password    (1x)
111: 0x0000564cfbd3a580 set email       (1x)
112: 0x0000564cfbd393a0 set password    (1x)
113: 0x0000564cfbd35570 set email       (1x)
114: 0x0000564cfbd3c410 set password    (1x)
115: 0x0000564cfbd3c430 set email       (1x)
116: 0x0000564cfbc81670 set password cb (2x)    <=== denied (012)
117: 0x0000564cfbd3c5a0 set password    (1x)
118: 0x0000564cfbd3b450 set email       (1x)
119: 0x0000564cfbd38470 set password    (1x)
120: 0x0000564cfbd3ed50 set email       (1x)
121: 0x0000564cfbd0f440 set password    (1x)
122: 0x0000564cfbc847c0 set email       (1x)
123: 0x0000564cfbd3eff0 set password    (1x)
124: 0x0000564cfbd39b30 set email       (1x)
125: 0x0000564cfbd39330 set password    (1x)
126: 0x0000564cfbd327c0 set email       (1x)
127: 0x0000564cfbd402c0 set password    (1x)
128: 0x0000564cfbd40430 set email       (1x)
129: 0x0000564cfbd40240 set password    (1x)
130: 0x0000564cfbd41300 set email       (1x)
131: 0x0000564cfbd3ee60 set password    (1x)
132: 0x0000564cfbd414a0 set email       (1x)
133: 0x0000564cfbd41400 set password    (1x)
134: 0x0000564cfbd43ad0 set email       (1x)
135: 0x0000564cfbd43300 set password    (1x)
136: 0x0000564cfbd41080 set email       (1x)
137: 0x0000564cfbd3edc0 set password    (1x)
138: 0x0000564cfbd44740 set email       (1x)
139: 0x0000564cfbd44320 set password    (1x)
140: 0x0000564cfbd43370 set email       (1x)
141: 0x0000564cfbd41030 set password    (1x)
142: 0x0000564cfbd323f0 set email       (1x)
143: 0x0000564cfbd41620 set password    (1x)
144: 0x0000564cfbd446e0 set email       (1x)
145: 0x0000564cfbd3ef30 set password    (1x)
146: 0x0000564cfbd47450 set email       (1x)
147: 0x0000564cfbd474d0 set password    (1x)
148: 0x0000564cfbd44610 set email       (1x)
149: 0x0000564cfbd47470 set password    (1x)
150: 0x0000564cfbc903e0 set password cb (1x)    <=== denied (017)
151: 0x0000564cfbd476a0 set email       (1x)
152: 0x0000564cfbd493e0 set password    (1x)
153: 0x0000564cfbd49590 set email       (1x)
154: 0x0000564cfbd47410 set password    (1x)
155: 0x0000564cfbd498b0 set email       (1x)
156: 0x0000564cfbd323d0 set password    (1x)
157: 0x0000564cfbd47110 set email       (1x)
158: 0x0000564cfbc927e0 set email cb    (2x)    <=== approved (021)
159: 0x0000564cfbc7a600 set email cb    (2x)    <=== approved (023)
160: 0x0000564cfbd1e740 set email cb    (2x)    <=== approved (025)
161: 0x0000564cfbd23e80 set email cb    (2x)    <=== approved (027)
162: 0x0000564cfbc8e4c0 set email cb    (5x)    <=== [vuln chunk] approval of 029, but has been overwritten by 061