Apple iOS / macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharact

ID 1337DAY-ID-27827
Type zdt
Reporter Google Security Research
Modified 2017-05-23T00:00:00


Exploit for multiple platform in category dos / poc

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state.
It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to
CFCharacterSetGetPredefined or uses it directly to manipulate __NSBuiltinSetTable.
Neither path has any bounds checking and the index is used to maniupulate c arrays of pointers.
Attached python script will generate a serialized NSBuiltinCharacterSet with a value of 42
for the character set identifier.
tested on MacOS 10.12.3 (16D32)
Proof of Concept:

# [2018-03-19]  #