As a user of
VMWare Fusion on OS X it happened to me to briefly look for security issues. I found 2 very trivial kernel infoleaks.
If you are interested into VMWare, you may be interested also in our
Shakacon 2016 talk, 50 Shades of Fuzzing, where we discussed some details about VMWare
As you may know, OS X ships with
kASLR (kernel ASLR) from quite some time, so it’s very important that pointers are not leaked to userspace, since it will defeat or weaken the kernel ASLR.
We already discussed one of those infoleak in our presentation at
CanSecWest16, for which a OS X graphic driver was the culprit.
This mentioned issue was leaking a pointer in the
IORegistry. Another way for the kernel to share variables to userspace is with
You can read those sysctl easily with the help of the
sysctl command on OS X.
So as you can imagine I’m saying this because the leaks are inside a sysctl variable.
If you have a OS X guest virtual machine in VMWare fusion, inside this VM you can try to run:
And the second issue, in the OS X Host itself also leaks pointers:
Other GPU memory corruptions bugs are pending, found by fuzzing like described in 50 Shades of Fuzzing but no expected time for fixes is given yet.
- 2016/3/26 The issues is reported to the VMWare Security Team via email at
- 2016/3/31 Still no reply or acknowledgement, I sent them an email again.
- 2016/3/31 I received a reply, they are investigating the issues internally.
CVE-2016-5329are reserved. VMWare couldn’t make the fix in the last update, they will try to bundle the fix in an update scheduled for Q3 2016.
- 2016/09/17 The Host infoleak seems fixed, but no security advisory is issued. The Guest infoleak is still present.
- 2016/10/26 The isses are fixed and the advisory is published here.
- Vendors must keep their threat model update. With
System Integrity Protectionusermode
rootis not the end of the game. You have to compromise the kernel to disable
SIPusually, so you should not leak those informations even to