CVE-2016-1823 - Out-of-bounds Read

Severity

93%

Complexity

86%

Confidentiality

165%

The IOHIDDevice::handleReportWithTime function in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read and memory corruption) via a crafted IOHIDReportType enum, which triggers an incorrect cast, a different vulnerability than CVE-2016-1824.

The IOHIDDevice::handleReportWithTime function in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read and memory corruption) via a crafted IOHIDReportType enum, which triggers an incorrect cast, a different vulnerability than CVE-2016-1824.

CVSS 3.0 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 9.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Demo Examples

Out-of-bounds Read

CWE-125

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Overview

First reported 8 years ago

2016-05-20 10:59:00

Last updated 5 years ago

2019-03-25 17:44:00

Affected Software

Apple Mac OS X

References

APPLE-SA-2016-05-16-1

Mailing List, Vendor Advisory

APPLE-SA-2016-05-16-2

Mailing List, Vendor Advisory

APPLE-SA-2016-05-16-3

Mailing List, Vendor Advisory

APPLE-SA-2016-05-16-4

Mailing List, Vendor Advisory

http://packetstormsecurity.com/files/137397/OS-X-Kernel-Raw-Cast-Out-Of-Bounds-Read.html

Third Party Advisory, VDB Entry

90698

Third Party Advisory, VDB Entry

1035890

Third Party Advisory, VDB Entry

https://bugs.chromium.org/p/project-zero/issues/detail?id=774

Exploit, Third Party Advisory

https://support.apple.com/HT206564

Vendor Advisory

https://support.apple.com/HT206566

Vendor Advisory

https://support.apple.com/HT206567

Vendor Advisory

https://support.apple.com/HT206568

Vendor Advisory

39927

Exploit, Third Party Advisory, VDB Entry

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.