Apple MacOS NSUnarchiver Heap Corruption(CVE-2017-2523)

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to manipulate NSBuiltinSetTable. Neither path has any bounds checking and the...

Apple macOSiOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]

Apple macOSiOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in NSBuiltinCharacterSet initWithCoder: Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled...

Apple macOS/iOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to...

Apple iOS / macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharact

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to...