FaceTime – ‘VCPDecompressionDecodeFrame’ Memory Corruption

• Exploit Database
• 85 阅读

• 作者： Google Security Research
  日期： 2018-11-06
• 类别：

  • dos
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/45788/

• There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
  
  The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
  
  1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
  2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
  3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
  4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
  5) Restart the machine
  6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
  7) Call target, when they pick up, AVConference will crash
  
  When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
  
  * thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
  frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
  VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing:
  ->0x7fff6bd71892 <+4492>: movl (%rcx,%rbx), %r8d
  0x7fff6bd71896 <+4496>: bswapl %r8d
  0x7fff6bd71899 <+4499>: movl %eax, %ecx
  0x7fff6bd7189b <+4501>: shll %cl, %r8d
  Target 0: (avconferenced) stopped.
  (lldb) bt
  * thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
  * frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
  frame #1: 0x00007fff6bd976b6 VideoProcessing`___lldb_unnamed_symbol3007$$VideoProcessing + 117
  frame #2: 0x00007fff6bda4eb9 VideoProcessing`___lldb_unnamed_symbol3043$$VideoProcessing + 513
  frame #3: 0x00007fff6bda4b76 VideoProcessing`___lldb_unnamed_symbol3042$$VideoProcessing + 560
  frame #4: 0x00007fff6bd6b252 VideoProcessing`___lldb_unnamed_symbol2741$$VideoProcessing + 4206
  frame #5: 0x00007fff53cf67f4 VideoToolbox`___lldb_unnamed_symbol79$$VideoToolbox + 1233
  frame #6: 0x00007fff53cf5373 VideoToolbox`___lldb_unnamed_symbol59$$VideoToolbox + 401
  frame #7: 0x00007fff6bca7381 VideoProcessing`VCPDecompressionSessionDecodeFrame + 423
  frame #8: 0x000000010bb86bab AVConference`VideoPlayer_ShowFrame + 1384
  frame #9: 0x000000010bb8cf98 AVConference`VideoReceiver_ShowFrame + 740
  frame #10: 0x000000010bb8c5be AVConference`VideoReceiver_VideoAlarm + 720
  frame #11: 0x000000010bb78933 AVConference`SoundPlayer_AlarmThread + 364
  frame #12: 0x00007fff484fe98b CoreMedia`figThreadMain + 277
  frame #13: 0x00007fff6f6a6661 libsystem_pthread.dylib`_pthread_body + 340
  frame #14: 0x00007fff6f6a650d libsystem_pthread.dylib`_pthread_start + 377
  frame #15: 0x00007fff6f6a5bf9 libsystem_pthread.dylib`thread_start + 13
  
  I've improved the PoC a lot for this, an updated video-replay.c is attached.This version does not require the binary patch for the sender binary, other than adding the library with insert_dylib. So to use this one:
  
  1) Build video-replay.c attached (g++ -std=c++11 -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
  2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
  3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
  4) Restart the machine
  5) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
  6) Call target with FaceTime, when they pick up, AVConference will crash
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45788.zip
  

  Swift

  Copy