Apple iOS / macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharact

2017-05-23T00:00:00
ID 1337DAY-ID-27827
Type zdt
Reporter Google Security Research
Modified 2017-05-23T00:00:00

Description

Exploit for multiple platform in category dos / poc

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170
 
Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state.
It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to
CFCharacterSetGetPredefined or uses it directly to manipulate __NSBuiltinSetTable.
Neither path has any bounds checking and the index is used to maniupulate c arrays of pointers.
 
Attached python script will generate a serialized NSBuiltinCharacterSet with a value of 42
for the character set identifier.
 
tested on MacOS 10.12.3 (16D32)
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42050.zip

#  0day.today [2018-03-19]  #