Lucene search

K
myhack58佚名MYHACK58:62201994385
HistoryJun 03, 2019 - 12:00 a.m.

CVE-2019-8603: Safari sandbox escape&LPE in-depth analysis-vulnerability warning-the black bar safety net

2019-06-0300:00:00
佚名
www.myhack58.com
164

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

68.5%

In this article, we will be on the vulnerability, CVE-2019-8603 analysis. In short, this is a present in the Dock and com. apple. uninstalld services in a heap out of bounds read vulnerability, the vulnerability will cause the attacker to call CFRelease and in macOS implemented on a Safari sandbox escape, and eventually gets to the target device’s root privileges.
Vulnerability CVE-2019-8606 will allow the attacker by kextutil in the conditions of competition to to root permission to implement kernel code execution, coupled with the qwertyoruiopz and bkth provides the WebKit vulnerability, a remote code execution vulnerability, the attacker can completely destroy Safari own security mechanisms, and the fall of the target user[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm&gt; a).
But don’t worry, just the mention of these two vulnerabilities in Apple’s security personnel are already in macOS 10.14.5 version of the successful repair.

Vulnerability analysis
Previously, I was developing a code-based coverage directed fuzzing tool, and in using this tool to AXUnserializeCFType when testing found this article, the main character, that is, the vulnerability, CVE-2019-8606 the. But according to my contact, this function essentially is actually a simple parser, and it had at last year’s Pwn2Own conference has appeared, but at that time no one found this function was the presence of vulnerabilities.
Turned out the document after I discovered I was wrong. This function is a CoreFoundation object serialization another code to achieve the function, which belongs to the HIServices framework of one Assembly, and the code stored in the corresponding dylib in the library.
This function can serialize the processing of one object type to a CFAttributedString, such a string, each character with a CFDictionary Associated, which is stored with the corresponding strings associated with any of the described information properties. These properties can be colors, fonts or other user needs to label the information. For us, what we want is the code executed.
In order to help everyone more intuitive understanding of this feature, we have dedicated to this characteristics of the corresponding data structure:
// from CFAttributedString. c
struct __CFAttributedString {
CFRuntimeBase base;
CFStringRef string;
CFRunArrayRef attributeArray; //
};
// from CFRunArray. c
typedef struct {
CFIndex length;
CFTypeRef obj;
} CFRunArrayItem;
typedef struct _CFRunArrayGuts { / Variable sized block. /
CFIndex numRefs; / For “copy on write” behavior /
CFIndex length; / Total count of values stored by the CFRunArrayItems in list /
CFIndex numBlocks, maxBlocks; / These describe the number of CFRunArrayItems in list /
CFIndex cachedBlock, cachedLocation; / Cache from last lookup /
CFRunArrayItem list[0]; / GCC /
} CFRunArrayGuts;
/ Definition of the CF struct for CFRunArray /
struct CFRunArray {
CFRuntimeBase base;
CFRunArrayGuts guts;
};
1, from index 0 index 0, length of 11, the properties identified as“the bold”; and
2, from index 11 index 11, length 4, no attribute identification;
3, from the index 15 index 15, length 4, properties identified as“italic”; the
Obviously, this feature also requires the maintenance of some does not change the“factors”, such as characters and words the gap between the and so on.
The deserialization function cfAttributedStringUnserialize there are two execution paths. The first article is very simple: it reads a string, and then use the attribute dictionary(NULL)to call CFAttributedStringCreate it. Yes, it is interesting that the function of the second execution path: it will first parse a string, and A contains the scope and The Associated dictionary list, and then calls the internal function _CFAttributedStringCreateWithRuns: the
CFAttributedStringRef _CFAttributedStringCreateWithRuns(
CFAllocatorRef alloc,
CFStringRef str,
const CFDictionaryRef attrDictionaries,
const CFRange *runRanges,
CFIndex numRuns) { …
For example, this feature can be used internally three groups CFRunArrayItems to represent the string“attribution is hard”: a
! [](/Article/UploadPic/2019-6/201963124145663. png)
The parser will be based on the detection results to ensure that the dictionary content and the string to match, but it can not determine the actual string range information, and _CFAttributedStringCreateWithRuns also cannot do this:
for (cnt = 0; cnt CFMutableDictionaryRef attrs = CFAttributedStringCreateAttributesdictionary(alloc, attrDictionaries[cnt]);
__CFAssertRangeIsWithinLength(len, runRanges[cnt]. location, runRanges[cnt]. length); //
CFRunArrayReplace(newAttrStr->attributeArray, runRanges[cnt], attrs, runRanges[cnt]. length);
CFRelease(attrs);
}
And the final official release version, nor for the judgment of the assertion. Therefore, the attacker will be able to use a fully controllable range and a newLength value to call CFRunArrayReplace it.
void CFRunArrayReplace(CFRunArrayRef array, CFRange range, CFTypeRef newObject, CFIndex newLength) {
CFRunArrayGuts guts = array->guts;
CFRange blockRange;
CFIndex block, toBeDeleted, firstEmptyBlock, lastEmptyBlock;
// [[ 1 ]]
// ??? if (range. location + range. length > guts->length) BoundsError;
if (range. length == 0) return;
if (newLength == 0) newObject = NULL;
// […]
/
This call also sets the cache to point to this block /
// [[ 2 ]]
block = blockForLocation(guts, the range. location, &blockRange);
guts->length -= range. length;
/
Figure out how much to delete from this block /
toBeDeleted = blockRange. length - (range. location - blockRange. location);
if (toBeDeleted > the range. length) toBeDeleted = range. length;
/
Delete that count */
// [[ 3 ]]
if ((guts->list[block]. length -= toBeDeleted) == 0) FREE(guts->list[block]. obj);

First look at the code snippet[[ 1 ]]section, it is obvious that the code the developer wants to try on the argument passed the validity authentication, but actually it does not change the function signature and returns any error information.

[1] [2] next

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

68.5%

Related for MYHACK58:62201994385