6.8
CVSSv2

CVE-2019-6225

Published: 05/03/2019 Updated: 11/03/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 688
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apple macOS could allow a local malicious user to gain elevated privileges on the system, caused by a memory corruption in the Kernel component. By using a specially-crafted application, an attacker could exploit this vulnerability to gain elevated privileges on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
AppleIphone Os1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 2.0, 2.0.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.2, 2.2.1, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.2, 3.2.1, 3.2.2, 4.0, 4.0.1, 4.0.2, 4.1, 4.2.1, 4.2.5, 4.2.8, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.5, 5.0, 5.0.1, 5.1, 5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 7.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.1, 7.1.1, 7.1.2, 8.0, 8.0.1, 8.0.2, 8.1, 8.1.2, 8.1.3, 8.2, 8.3, 8.4.1, 9.0, 9.0.1, 9.0.2, 9.1, 9.2, 9.2.1, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 10.0, 10.0.1, 10.0.2, 10.0.3, 10.1, 10.1.1, 10.2, 10.2.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 11, 11.0, 11.0.1, 11.0.2, 11.0.3, 11.1, 11.1.1, 11.1.2, 11.2, 11.2.1, 11.2.2, 11.2.5, 11.2.6, 11.3, 11.3.1, 11.4, 11.4.1, 12.0, 12.0.1, 12.1, 12.1.1, 12.1.2
AppleMac Os X-, 10.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.5, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.6.7, 10.6.8, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.9, 10.9.1, 10.9.2, 10.9.3, 10.9.4, 10.9.5, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.11.0, 10.11.1, 10.11.2, 10.11.3, 10.11.4, 10.11.5, 10.11.6, 10.12, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.12.4, 10.12.5, 10.12.6, 10.13, 10.13.0, 10.13.1, 10.13.2, 10.13.3, 10.13.4, 10.13.5, 10.13.6
AppleTvos1.0.0, 1.1.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 3.0.0, 3.0.1, 3.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.4.2, 4.4.3, 4.4.4, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.2, 6.2.1, 7.0, 7.0.1, 7.0.3, 7.1, 9.0, 9.0.1, 9.1, 9.1.1, 9.2, 9.2.1, 9.2.2, 10.0, 10.0.1, 10.1, 10.1.1, 10.2, 10.2.1, 10.2.2, 11, 11.0, 11.1, 11.2, 11.2.1, 11.2.6, 11.3, 11.4.1, 12, 12.0.1, 12.1

Vendor Advisories

About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible For more info ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible For more info ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible For more info ...

Exploits

/* * voucher_swap-pocc * Brandon Azad */ #if 0 iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612), 954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206), and 1 ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-2 macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra are now available and addresses the following: AppleKeyStore Available for: macOS Mojave 1014 ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-4 tvOS 1212 tvOS 1212 is now available and addresses the following: AppleKeyStore Available for: Apple TV 4K and Apple TV (4th generation) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with impr ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-2 macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra are now available and addresses the following: AppleKeyStore Available for: macOS Mojave 1014 ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-4 tvOS 1212 tvOS 1212 is now available and addresses the following: AppleKeyStore Available for: Apple TV 4K and Apple TV (4th generation) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with impr ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-1 iOS 1213 iOS 1213 is now available and addresses the following: AppleKeyStore Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption is ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-1 iOS 1213 iOS 1213 is now available and addresses the following: AppleKeyStore Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption is ...

Github Repositories

Jailbreak for iOS 12 iOS 120 & 1212 Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license Older (4K) devices are not supported for now 16K dev

CVE-2019-6225 Local Privilege Escalation for macOS ≤ 10142 via CVE-2019-6225 Not yet tested on other machines, some hardcoded values might be incorrect Does NOT work on machines with SMAP It will crash your machine on the second run, no matter how the first run was Most of the code are based on PsychoTea/machswap Special thanks: @_bazad, @S0rryMyBad for the bug @S1guza

voucher_swap - Exploit for P0 issue 1731 on iOS 1212 Brandon Azad ---- Issue 1731: CVE-2019-6225 -------------------------------------------------------------------- iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_t; new_voucher : ipc_vo

OsirisJailbreak12 iOS 120 -> 1212 Incomplete Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license 4K devices are not supported for now A12 and

voucher_swap - Exploit for P0 issue 1731 on iOS 1212 Brandon Azad ---- Issue 1731: CVE-2019-6225 -------------------------------------------------------------------- iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_t; new_voucher : ip

OsirisJailbreak12 iOS 120 -> 1212 Incomplete Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license 4K devices are not supported for now A12 and

Chaos kernel bug for iOS 120 through 1212 PoC & Writeup (CVE-2019-6225) Read everything please This only works with 64-bit devices running 120 - 1212 Writeup by @haxoorr (me) I made a clean writeup because the original PoC was posted as an image Fixed in iOS 1213 (16D39) If you're interested in bootstrapping iOS kernel security research (including

OsirisJailbreak12 iOS 120 -> 1212 Incomplete Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license Older (4K) devices are not supported for now

machswap2 An iOS kernel exploit for iOS 11 - 1212 Based on the task_swap_mach_voucher bug (CVE-2019-6225), joint-discovered/released by @S0rryMyBad and @bazad Somewhat loosely based on @s1guza's v0rtex exploit, and @tihmstar's v3ntex exploit Works on A7 - A11 devices (no A12 as I have no A12 device) Many thanks to @s1guza, @littlelailo, and @qwertyoruiopz Twitt

voucher_swap - Exploit for P0 issue 1731 on iOS 1212 Brandon Azad ---- Issue 1731: CVE-2019-6225 -------------------------------------------------------------------- iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_t; new_voucher : ip

machswap An iOS kernel exploit for iOS 11 - 1212 Based on the task_swap_mach_voucher bug (CVE-2019-6225), joint-discovered/released by @S0rryMyBad and @bazad Somewhat loosely based on @s1guza's v0rtex exploit Non-SMAP (<=A9) devices only Many thanks to @s1guza, @littlelailo, and @qwertyoruiopz Writeup: sparkeszone/blog/ios/2019/04/30/machswap-ios-12-

learnmacos mac内核漏洞挖掘,内核处理原理,漏洞分析的学习笔记。 项目文件说明 内核调试环境搭建 ipc通信机制 ​ mach port 分析 ​ ool和msg分析 ​ port进行的堆喷 内存管理机制分析 ​ gc回收混淆类型 内核扩展与iokit mac结构说明 task结构 整体架构 内核dataqueue分析 MIG模块编译使用 共享内存