How to use QuartzCore Stack Overflow to achieve the iOS/macOS Safari sandbox escape-vulnerability warning-the black bar safety net

A vulnerability summary
QuartzCore-that CoreAnimation is macOS and iOS is used to build animations scene graph of a framework. CoreAnimation uses a unique rendering of the model to a separate process to run the graphics operations. In macOS, the process is the WindowServer, and on iOS, the process backboardd it. These processes are in the sandbox, to be able to call setuid is. QuartzCore service name is usually also referred to as CARenderServer it. macOS and iOS there are the services, and may be from the Safari sandbox access, it is often used for a variety of Pwn2Own occasions. The service in the presence of an integer overflow bug, leading to the latest macOS/iOS QuartzCore exists a heap overflow vulnerability.
AffectedOS: the
macOS 10.14
iOS 12.10

Second, the manufacturers reply
“CoreAnimation vulnerability impact: an application may use the system privileges to execute arbitrary code. Has improved memory handling, fixed the memory corruption problem.“
The vulnerability number CVE-2018-4415。

Third, the vulnerability details
The vulnerability of the root cause is located in the QuartzCore CA::Render::InterpolatedFunction::InterpolatedFunction function, the function does not take into account integer overflow problems. Below we will be in the macOS and iOS on the system detailed description of the vulnerability details.
macOS 10.14
In macOS, there is an API CGSCreateLayerContext can be used to open CARenderService iOS does not exist on the API. The attacker can to the service port to send the id for 0x9C42 or 0x9C43 of the message. When the process is actually server_thread received this particular message, it will enter into similar deserialization of a process. As long as you provide the appropriate data, the execution flow will enter the CA::Render::InterpolatedFunction::InterpolatedFunction function.
! [](/Article/UploadPic/2018-12/2018123191159393. png)
In the above figure, note that the attacker can control(a)and(b)at which two members of the value of the CA using a similar CA::Render::Decoder::decodelike a function to deserialize the object, in the CA::Render::InterpolatedFunction::allocate_storage function, the function will be based on these values to determine the to be allocated memory size.
! [](/Article/UploadPic/2018-12/2018123191159177. png)
In(d), the v3 from(a)and(b)at the value of the control, and(e)at the v4 by the same attacker controlled©to control. Therefore to be allocated memory of size 4 * (v4 + v3). However, careful observation(f), is passed to the CA::Render::Decoder::decode_bytes function of the 3rd argument is actually 4 * v3. (f)at CA::Render::Decoder::decode_bytes simplified form similar to the memcpy(v2, v8, 4 * v3)or memset(v2, 0, 4 * v3). Therefore, when 4 * (v4 + v3)overflow 4 * v3 no overflow occurs when the Stack Overflow problem. You can later in the article the exploit, observe how to use an attacker can control these values to trigger an integer overflow problem.
We can through the following steps, in macOS on reproducing this issue:
1, the clang QuartzCoreFunctionIntOverFlow. c-oquartz_core_function_over_flow-framework CoreGraphics
2, the./ quartz_core_function_over_flow
1 Thread 0 Crashed:: Dispatch queue: com. apple. main−thread
com. apple. CoreFoundation 0x00007fff332e2daf __CFBasicHashAddValue + 2077
com. apple. CoreFoundation 0x00007fff332e33f5 CFDictionarySetValue + 187
com. apple. SkyLight 0x00007fff595ebfa9 CGXPostPortNotification + 123
com. apple. SkyLight 0x00007fff595eb947 notify_handler + 73
com. apple. SkyLight 0x00007fff595eb2d9 post_port_data + 237
com. apple. SkyLight 0x00007fff595eafba run_one_server_pass + 949
com. apple. SkyLight 0x00007fff595eab90 CGXRunOneServicesPass + 460
com. apple. SkyLight 0x00007fff595eb820 server_loop + 96
com. apple. SkyLight 0x00007fff595eb7b5 SLXServer + 1153
WindowServer 0x000000010011d4c4 0x10011c000 + 5316
libdyld. dylib 0x00007fff6036ced5 start + 1
Thread 2:: com. apple. coreanimation. render−server // CARenderServer thread
libsystem_platform. dylib 0x00007fff6056ce09 _platform_bzero$VARIANT$Haswell
+ 41
com. apple. QuartzCore 0x00007fff3e8ebaa4 CA::Render::Decoder::
decode_bytes(void, unsigned long) + 46
com. apple. QuartzCore 0x00007fff3e8c35f7 CA::Render::InterpolatedFunction
::InterpolatedFunction(CA::Render::Decoder*) + 191
com. apple. QuartzCore 0x00007fff3e8c3524 CA::Render::Function::decode(CA
::Render::Decoder*) + 224
com. apple. QuartzCore 0x00007fff3e8ecb8a CA::Render::Decoder::
decode_object(CA::Render::Type) + 946
com. apple. QuartzCore 0x00007fff3e8edc8e CA::Render::decode_commands(CA::
Render::Decoder*) + 871
com. apple. QuartzCore 0x00007fff3e896422 CA::Render::Server::
ReceivedMessage::run_command_stream() + 748
com. apple. QuartzCore 0x00007fff3e73d2e1 CA::Render::Server::
server_thread(void*) + 1841
com. apple. QuartzCore 0x00007fff3e91427c thread_fun(void*) + 25
libsystem_pthread. dylib 0x00007fff60572795 _pthread_body + 159
libsystem_pthread. dylib 0x00007fff605726e2 _pthread_start + 70
libsystem_pthread. dylib 0x00007fff605722a9 thread_start + 13
iOS 12.10
Due to the reason of this issue is very clear, and the iOS and macOS on code are basically the same, therefore in this section, we discuss only iOS and macOS on a number of different points.
1, the iOS does not exist on the similar CGSCreateLayerContext like API, not direct access to CoreAnimation rendering context, but after some exploring, we found that you can use _XRegisterClient the MIG function to replace CGSCreateLayerContext it. First, the attacker needs to open the com. apple. CARenderServer services can be in the sandbox to access the service, and then invoked by mach_msg to send id for 40202 message to call _XRegisterClient; and

[1] [2] [3] next