A buffer overflow in the XNU kernel

146 points by jprx 1 year ago | 35 comments
  • lgdskhglsa 1 year ago
    In case people missed it, the name of the exploit is a blink 182 song released around the time it was discovered.
    • jprx 1 year ago
      You get it!!
      • lgdskhglsa 1 year ago
        It's my favorite song of the album :)
    • bartvk 1 year ago
      If you're still running the affected kernel, what are the possible consequences?

      Also, this has been public for months:

      - February 17, 2024: I posted the hash of TURPENTINE.c to X on Feb 17, 2024.

      - May 13, 2024: macOS Sonoma 14.5 (23F79) shipped with xnu-10063.121.3, the first public release containing a fix.

      • axoltl 1 year ago
        The syscalls involved are in a lot of sandboxes, so worst (or best, depending on your point of view) case scenario it's a pretty universal privesc. There's a lot of steps to get there though. I'm not super familiar with the mbuf subsystem specifically but I'm going to guess mbufs are in their own allocator zone. That means you're guaranteed to overwrite an adjacent m_hdr structure. Those contains pointers that form a linked list and at first glance I don't see linked list hardening or zone checks in the MBUF macros. One could envision being able to turn this bug into a kASLR leak as well as a kernel r/w primitive and while that isn't the silver bullet it used to be on XNU (because of a whole host of hardening Apple put in) it's still pretty powerful.
        • TheDong 1 year ago
          > Also, this has been public for months:

          Posting the hash to twitter as a proof that "something" exists reveals no actual information, so it's not considered making the exploit "public" in any meaningful way.

          From the blog's timeline, it's been visible in code diffs since ~April, but only called out as a CVE since 10 days ago, so I'd consider this one hot off the presses.

          • 1 year ago
          • 0757630110 1 year ago
            [flagged]
            • throwaway71271 1 year ago
              [flagged]
              • chad1n 1 year ago
                There is a bigger chance that a toddler smashing a keyboard finds a bug than gpt5. LLMs can't understand intent, so they literally work like `grep` with little to no understanding of the context, so most of the time it will false flag good code.

                There are already a lot of tools already to find bugs, like fuzzers, but I am sure that LLMs won't be one of them.

                • 1 year ago
                  • barkingcat 1 year ago
                    Llm powered / guided fuzzer would be pretty cool though.
                  • exe34 1 year ago
                    they don't need to understand intent, they just need to find exploits. they don't even need to do it by reading code alone - give them a vm running the code and let them throw excrement at it until something sticks!
                  • lpapez 1 year ago
                    Writing an exploit is usually much more difficult than patching the underlying bug.

                    Half of the work in fixing a bug report is getting a reproducible example. Nay, more than half.

                    If there was a magic AI which could generate exploits, I'd imagine there would be an equally magic AI patching the holes right out.

                    • vlovich123 1 year ago
                      Maybe but keep in mind that there’s often a substantial lag in practice between a fixed vulnerability and its deployment into production.

                      That said, I’m quite skeptical there’s any AI’s on the horizon that can autogenerate exploits from CVEs.

                    • saagarjha 1 year ago
                      It’s definitely nowhere near capable of doing that.
                      • favorited 1 year ago
                        Is "with a sufficiently smart LLM" the new "with a sufficiently smart compiler?"
                        • st_goliath 1 year ago
                          "imagine feeding this into an LLM/ChatGPT" is the new "imagine a Beowulf cluster of these"
                        • sillywalk 1 year ago
                          Apparently GPT-4 has some capacity to conduct exploits this by "reading" CVE reports. I don't know if it can autonomously create exploits though:

                          GPT-4 can exploit vulnerabilities by reading CVEs (theregister.com) 81 points by ignoramous 60 days ago | hide | past | favorite | 29 comments

                          https://news.ycombinator.com/item?id=40101846

                          which links to a Register Article[0], which links to a paper[1]:

                          "In this work, we show that LLM agents can autonomously exploit one-day vulnerabilities in real-world systems. To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description. When given the CVE description, GPT-4 is capable of exploiting 87% of these vulnerabilities compared to 0% for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit). Fortunately, our GPT-4 agent requires the CVE description for high performance: without the description, GPT-4 can exploit only 7% of the vulnerabilities."[1]

                          [0] https://www.theregister.com/2024/04/17/gpt4_can_exploit_real...

                          [1] https://arxiv.org/pdf/2404.08144

                          • saagarjha 1 year ago
                            Yes, that sounds about right. LLMs aren’t quite good enough to find novel bugs and exploit them like a human would.
                            • tedunangst 1 year ago
                              Yeah, that works for web vulns where the vuln description is practically the exploit anyway. I could write a perl script that parses out variable names and writes sql injections for it.
                            • brcmthrowaway 1 year ago
                              Have you used GPT-5?
                              • JSDevOps 1 year ago
                                If you aren’t using GPT-6a then you are years behind.
                              • speed_spread 1 year ago
                                GPT-5, maybe not. But somebody somewhere is building something that can do that. And if they can't do it _now_ they have a plan that tells them what's missing. TLDR; it's coming, soon.
                                • axoltl 1 year ago
                                  Writing exploits is a bit of an art-form. Current incarnations of GPT have trouble writing code at a level more advanced than a junior developer.
                                  • TylerE 1 year ago
                                    and lots of people are spending lots of time and money on AI Coding Assitants... which is more or less the knowledge base you need.

                                    If they could use that structural training to answer queries like "Is there any code path where some_dangerous_func() is called without it's return value being checked"...

                                • mschuster91 1 year ago
                                  > Like when you can just send one icmp packet with `+++ath0` and just disconnect someone's modem

                                  Oh, I remember the "XDCC SEND KEYLOGGER 0 0 0" exploit from IRC era ~2010... dumbass middleboxes would yeet anyone whose packets crossed them.

                                  • jiveturkey 1 year ago
                                    the real win will be when it can also generate the codename for the exploit. FATEFATAL