CVE-2018-16962: Webroot SecureAnywhere macOS Kernel Level Memory Corruption

Trustwave as of late found a locally exploitable issue in the macOS form of the Webroot SecureAnywhere arrangement. The issues main driver is a discretionary client provided pointer being perused from and possibly composed as well. All things considered, webroot install with key code the issue arms an aggressor with a compose what-where piece contraption with the admonition that the first estimation of the memory referenced by the pointer must be equivalent to (int) – 1.

The helpless code is as per the following:

__text:0000000000002BDC 000 push rbp

__text:0000000000002BDD 008 mov rbp, rsp

__text:0000000000002BE0 008 mov rax, [rsi+20h]

__text:0000000000002BE4 008 mov rcx, [rax]

__text:0000000000002BE7 008 test rcx, rcx

__text:0000000000002BEA 008 jz short loc_2C02

__text:0000000000002BEC 008 cmp dword ptr [rcx], 0FFFFFFFFh ; self-assertive dereference

__text:0000000000002BEF 008 jnz short loc_2C02

__text:0000000000002BF1 008 mov eax, [rax+8]

__text:0000000000002BF4 008 mov [rcx], eax ; dword self-assertive compose what-where

__text:0000000000002BF6 008 mov rdi, rcx

__text:0000000000002BF9 008 call _wakeup

Obviously the exploitability of the issue is to some degree constrained in that the first estimation of the memory address dereferenced must be (int) – 1. Anyway this does not block a serviceable adventure being conceivable if an assailant had the option to sidestep KASLR on the adaptations of OSX/macOS upheld by SecureAnywhere.

Any endeavor would bring about neighborhood portion mode code execution. While macOS is a significant objective for aggressors, the establishment base of Windows still outpaces Mac. Being nearby just, an assailant would require malware executing locally or persuade a signed in client to open the adventure through social designing.

Webroot fixed this powerlessness and clients are prescribed to guarantee programmed updates are empowered for MacOS operator introduces. The individuals who want to physically overhaul ought to introduce rendition or the most recent stable discharge. This powerlessness has been issued CVE-2018-16962.

Webroot issued the accompanying proclamation with respect to this weakness:

“The security of our clients is of vital significance to Webroot. This defenselessness was helped in programming variant which has been accessible for our clients since July 24, 2018. We have no proof of any trade offs from this powerlessness.

For any client running an adaptation of Mac not right now upheld by Apple (OS 10.8 or lower), we prescribe moving up to an Apple-bolstered variant to get our refreshed specialist and be in accordance with cybersecurity best practices on framework fixing.

Joint effort in the cybersecurity network is the thing that keeps all of us more secure. We welcome the Trustwave SpiderLabs group’s utilization of mindful exposure to help shield the more extensive network from cyberthreats.”

Leave a Reply

Your email address will not be published. Required fields are marked *