Apple MacOS NSUnarchiver Heap Corruption(CVE-2017-2523)

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to manipulate NSBuiltinSetTable. Neither path has any bounds checking and the...

Apple macOS - Local Privilege Escalation Vulnerability(CVE-2017-6978)

HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType; it reads a type field and uses that to index an array of function pointers for the support types: const:0000000000053ED0...

Apple iOS / macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharact

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to...

Apple macOS - Local Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObjec

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1219 HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType...