Lucene search
Google Security Research1337DAY-ID-27827HistoryMay 23, 2017 - 12:00 a.m.
Apple iOS / macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharact
2017-05-2300:00:00
Google Security Research
0day.today
27
0.074 Low
EPSS
Percentile
94.1%
Exploit for multiple platform in category dos / poc
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170
Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state.
It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to
CFCharacterSetGetPredefined or uses it directly to manipulate __NSBuiltinSetTable.
Neither path has any bounds checking and the index is used to maniupulate c arrays of pointers.
Attached python script will generate a serialized NSBuiltinCharacterSet with a value of 42
for the character set identifier.
tested on MacOS 10.12.3 (16D32)
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42050.zip
# 0day.today [2018-03-19] #Related
prion
prion
Memory corruption
2017-05-22 05:29:00
cvelist
cvelist
CVE-2017-2523
2017-05-22 04:54:00
cve
cve
CVE-2017-2523
2017-05-22 05:29:01
nvd
nvd
CVE-2017-2523
2017-05-22 05:29:01
seebug
seebug
Apple MacOS NSUnarchiver Heap Corruption(CVE-2017-2523)
2017-05-27 00:00:00
apple
apple
About the security content of watchOS 3.2.2 - Apple Support
2017-06-07 08:52:14
About the security content of watchOS 3.2.2
2017-05-15 00:00:00
About the security content of tvOS 10.2.1
2017-05-15 00:00:00