Vulners
Lucene search
FaceTime - readSPSandGetDecoderParams Stack Corruption Exploit
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Apple iOS < 12.1 Multiple Vulnerabilities | 17 Apr 201900:00 | – | nessus |
| Apple iOS < 12.1 Multiple Vulnerabilities | 31 Oct 201800:00 | – | nessus |
 | About the security content of iOS 12.1 | 30 Oct 201800:00 | – | apple |
| About the security content of iOS 12.1 - Apple Support | 17 Sep 201910:50 | – | apple |
 | CVE-2018-4367 | 6 Nov 201800:00 | – | circl |
 | Apple iOS FaceTime Memory Corruption Vulnerability | 2 Nov 201800:00 | – | cnvd |
 | CVE-2018-4367 | 3 Apr 201917:43 | – | cve |
 | CVE-2018-4367 | 3 Apr 201917:43 | – | cvelist |
 | EUVD-2018-16153 | 7 Oct 202500:30 | – | euvd |
 | Adventures in Video Conferencing Part 2: Fun with FaceTime | 5 Dec 201800:00 | – | googleprojectzero |
10
FaceTime - readSPSandGetDecoderParams Stack Corruption Exploit
There are a variety of problems that occur when processing malformed H264 streams in readSPSandGetDecoderParams, leading to OOB read, OOB write and stack_chk crashes. I think the root cause is stack corruption. This issue can occur if someone accepts a malicious FaceTime call.
To reproduce the issue:
On the target device:
1) build no-encrypt.c (gcc -dynamiclib -o mylib)
2) copy the file to /usr/lib/mylib
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
This will strip encryption to allow the target to receive unencrypted packets. It is also possible to repro this issue using the method described in issue 1634 , but it is much more reliable and debuggable with the unencrypted packets
On the host device:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached sc.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45787.zip
# 0day.today [2018-11-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Nov 2018 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.06498