Apple macOS/iOS – NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]

• Exploit Database
• 21 阅读

• 作者： Google Security Research
  日期： 2017-05-23
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/42050/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170
  
  Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state.
  It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to
  CFCharacterSetGetPredefined or uses it directly to manipulate __NSBuiltinSetTable.
  Neither path has any bounds checking and the index is used to maniupulate c arrays of pointers.
  
  Attached python script will generate a serialized NSBuiltinCharacterSet with a value of 42
  for the character set identifier.
  
  tested on MacOS 10.12.3 (16D32)
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42050.zip