The syscalls involved are in a lot of sandboxes, so worst (or best, depending on your point of view) case scenario it's a pretty universal privesc. There's a lot of steps to get there though. I'm not super familiar with the mbuf subsystem specifically but I'm going to guess mbufs are in their own allocator zone. That means you're guaranteed to overwrite an adjacent m_hdr structure. Those contains pointers that form a linked list and at first glance I don't see linked list hardening or zone checks in the MBUF macros. One could envision being able to turn this bug into a kASLR leak as well as a kernel r/w primitive and while that isn't the silver bullet it used to be on XNU (because of a whole host of hardening Apple put in) it's still pretty powerful.
Posting the hash to twitter as a proof that "something" exists reveals no actual information, so it's not considered making the exploit "public" in any meaningful way.
From the blog's timeline, it's been visible in code diffs since ~April, but only called out as a CVE since 10 days ago, so I'd consider this one hot off the presses.
Readit News
Also, this has been public for months:
- February 17, 2024: I posted the hash of TURPENTINE.c to X on Feb 17, 2024.
- May 13, 2024: macOS Sonoma 14.5 (23F79) shipped with xnu-10063.121.3, the first public release containing a fix.
Posting the hash to twitter as a proof that "something" exists reveals no actual information, so it's not considered making the exploit "public" in any meaningful way.
From the blog's timeline, it's been visible in code diffs since ~April, but only called out as a CVE since 10 days ago, so I'd consider this one hot off the presses.
Deleted Comment
Dead Comment
Dead Comment