Vulners
Lucene search
FaceTime - VCPDecompressionDecodeFrame Memory Corruption Exploit
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Apple iOS < 12.1 Multiple Vulnerabilities | 17 Apr 201900:00 | – | nessus |
| Apple iOS < 12.1 Multiple Vulnerabilities | 31 Oct 201800:00 | – | nessus |
 | About the security content of iOS 12.1 | 30 Oct 201800:00 | – | apple |
| About the security content of iOS 12.1 - Apple Support | 17 Sep 201910:50 | – | apple |
 | CVE-2018-4366 | 6 Nov 201800:00 | – | circl |
 | Apple iOS FaceTime Denial of Service Vulnerability | 29 Nov 201800:00 | – | cnvd |
 | CVE-2018-4366 | 3 Apr 201917:43 | – | cve |
 | CVE-2018-4366 | 3 Apr 201917:43 | – | cvelist |
 | EUVD-2018-16152 | 7 Oct 202500:30 | – | euvd |
 | Adventures in Video Conferencing Part 2: Fun with FaceTime | 5 Dec 201800:00 | – | googleprojectzero |
10
FaceTime - VCPDecompressionDecodeFrame Memory Corruption Exploit
There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing:
-> 0x7fff6bd71892 <+4492>: movl (%rcx,%rbx), %r8d
0x7fff6bd71896 <+4496>: bswapl %r8d
0x7fff6bd71899 <+4499>: movl %eax, %ecx
0x7fff6bd7189b <+4501>: shll %cl, %r8d
Target 0: (avconferenced) stopped.
(lldb) bt
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
* frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
frame #1: 0x00007fff6bd976b6 VideoProcessing`___lldb_unnamed_symbol3007$$VideoProcessing + 117
frame #2: 0x00007fff6bda4eb9 VideoProcessing`___lldb_unnamed_symbol3043$$VideoProcessing + 513
frame #3: 0x00007fff6bda4b76 VideoProcessing`___lldb_unnamed_symbol3042$$VideoProcessing + 560
frame #4: 0x00007fff6bd6b252 VideoProcessing`___lldb_unnamed_symbol2741$$VideoProcessing + 4206
frame #5: 0x00007fff53cf67f4 VideoToolbox`___lldb_unnamed_symbol79$$VideoToolbox + 1233
frame #6: 0x00007fff53cf5373 VideoToolbox`___lldb_unnamed_symbol59$$VideoToolbox + 401
frame #7: 0x00007fff6bca7381 VideoProcessing`VCPDecompressionSessionDecodeFrame + 423
frame #8: 0x000000010bb86bab AVConference`VideoPlayer_ShowFrame + 1384
frame #9: 0x000000010bb8cf98 AVConference`VideoReceiver_ShowFrame + 740
frame #10: 0x000000010bb8c5be AVConference`VideoReceiver_VideoAlarm + 720
frame #11: 0x000000010bb78933 AVConference`SoundPlayer_AlarmThread + 364
frame #12: 0x00007fff484fe98b CoreMedia`figThreadMain + 277
frame #13: 0x00007fff6f6a6661 libsystem_pthread.dylib`_pthread_body + 340
frame #14: 0x00007fff6f6a650d libsystem_pthread.dylib`_pthread_start + 377
frame #15: 0x00007fff6f6a5bf9 libsystem_pthread.dylib`thread_start + 13
I've improved the PoC a lot for this, an updated video-replay.c is attached. This version does not require the binary patch for the sender binary, other than adding the library with insert_dylib. So to use this one:
1) Build video-replay.c attached (g++ -std=c++11 -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
6) Call target with FaceTime, when they pick up, AVConference will crash
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45788.zip
# 0day.today [2018-11-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Nov 2018 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.06448