This one seems to have fallen between the chairs of Meltdown and Spectre. And definitely worth a MacRumors article.
Swiss guy (Siguza) gain full kernel access for unprivileged user.
Siguza tweets about a fix in 10.13.2
Steve Gibson talks about this, starts @ 51.45 into the videocast. Show is from the 2nd and he talks about the Intel Page Addressing problem as well. Well worth watching.
Here are the SG show notes for this part:
Swiss guy (Siguza) gain full kernel access for unprivileged user.
Siguza tweets about a fix in 10.13.2
Steve Gibson talks about this, starts @ 51.45 into the videocast. Show is from the 2nd and he talks about the Intel Page Addressing problem as well. Well worth watching.
Here are the SG show notes for this part:
IOHIDeous
On New Years Eve, hacker "Siguza", who describes himself as a hobbyist developer and hacker from Switzerland who goes by the name Siguza, dropped the tweet:
"**** it, dropping a macOS 0day. Happy New Year, everyone. https://t.co/oG2nOlUOjk — Siguza (@s1guza) December 31, 2017"
The link in his tweet points to a page on his Github subdomain where, we promised in the tweet, he provides an extensive and extremely well written walk through of this apparently 15+ year old bug.
https://siguza.github.io/IOHIDeous/
<quote> The exploit accompanying this write-up consists of three parts:
And an engineer from Apple's security team contacted me a bit after releasing - they had found
- ● poc (make poc)
Targets all macOS versions, crashes the kernel to prove the existence of a memory corruption.
- ● leak (make leak)
Targets High Sierra, just to prove that no separate KASLR leak is needed.
- ● hid (make hid)
Targets Sierra and High Sierra (up to 10.13.1, see README), achieves full kernel r/w and disables SIP [System Integrity Protection] to prove that the vulnerability can be exploited by any unprivileged user on all recent versions of macOS.
Siguza jumped into a dialog about this over on Ycombinator and wrote:
I had actually submitted to the ZDI, but had written the exploit & write-up in the first place mainly because I like hacking rather than for money. I figured I'd see what offers I'd get anyway, but once I had spent all the time on the write-up, I mainly wanted people to see that, and the amount offered wasn't enough to convince me otherwise. I might've published this earlier even, but my December was kinda busy, first with the v0rtex exploit and then with 34C3.
the bug a while ago, but hadn't verified the subsequent patch which actually didn't fix it. And a while ago I tweeted this https://twitter.com/s1guza/status/921889566549831680 (try diff'ing sources to find it). So they do have people on it. I also told that person to extend my condolences to whoever has to come in and fix that now, but they basically said that there's nothing to apologise for and that they (the team) really like such write-ups. So... I guess I'm not that evil?
And I neither wanna watch the world burn nor did anyone brush me the wrong way - I didn't publish this out of hate, but out of love for hacking. If you're concerned about skids hacking you now, they need to get code execution first on your machine. If you're concerned about people who can do that, then those can also get kernel r/w without me, so... nothing really changed for the average user.
PS: Yes, it's really me. Will add keybase proof if my karma gets >= 2. Edit: done, see my profile.
Last edited:
