SSD Advisory – iOS/macOS Safari Sandbox Escape via QuartzCore Heap Overflow

Credit to Author: SSD / Ori Nimron| Date: Sun, 02 Dec 2018 13:08:59 +0000

Vulnerabilities Summary
QuartzCore ( https://developer.apple.com/documentation/quartzcore ), also known as CoreAnimation, is a framework use by macOS and iOS to build an animatable scene graph. CoreAnimation uses a unique rendering model where the graphics operations are run in a separate process. On macOS, the process is WindowServer and on iOS the name is backboardd. Both of these process are out of sandbox and have the right to call setuid. The service name QuartzCore is usually referenced as CARenderServer. This service exists on both macOS and iOS and can be accessed from the Safarisandbox and therefore has been used for Pwn2Own on many occasions. There exists an integer overflow which can lead to heap over flow in QuartzCore on latest macOS/iOS.

Vendor Response
“CoreAnimation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4415: Liang Zhuo working with Beyond Security’s SecuriTeam Secure Disclosure”

CVE
CVE-2018-4415

Credit
An independent Security Researcher, Zhuo Liang, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
macOS 10.14
iOS 12.10

Vulnerability Details
The root cause of this vulnerability lies in QuartzCore`CA::Render::InterpolatedFunction::InterpolatedFunction function, this function does not notice the case of integer overflow. In the
sections will discuss the details of this vulnerability on both macOS and iOS.

macOS 10.14
On macOS, there is an useful API to retrive open the CARenderService named CGSCreateLayerContext(Not exists on iOS). The attacker can send messages to the service port with message id 0x9C42 or 0x9C43. When the process(server_thread, actually) receives this message of the specified message ids, it will go into a procedure like deserialization. With proper data fed the execution stream will go into function CA::Render::InterpolatedFunction::InterpolatedFunction.

Notice at (a) and (b) the value of these two member can be controlled by attacker(CA uses functions like CA::Render::Decoder::decode* to deserialize objects), and in CA::Render::InterpolatedFunction::allocate_storage function, these values will be used to decide the size of memory to be allocate.

At (d), v3 is controlled by values at (a) and (b). And v4 at (e) can also be controlled by attacker at (c). So the size of the memory to allocate is 4 * (v4 + v3). But look at (f) carefully, the third parameter passed to CA::Render::Decoder::decode_bytes is actually 4 * v3. The simplest form of CA::Render::Decoder::decode_bytes at (f) is like memcpy(v2, v8, 4 * v3) or memset(v2, 0, 4 * v3). So the heap overflow leading by integer overflow happens when 4 * (v4 + v3) overflows but 4 * v3 not. The proof combination of those attacker controlled values which can lead to proper integer overflow can be found in the exploit in the end of this advisory.

Reproduction of this issue on macOS can be done as follows:
1. clang QuartzCoreFunctionIntOverFlow.c -o
quartz_core_function_over_flow -framework CoreGraphics
2. ./quartz_core_function_over_flow

iOS 12.10
Since the root cause of this issue is apparent and the code on iOS and macOS is almost the same. In this section We will only discuss the different points between iOS and macOS.

• There isn’t any API like CGSCreateLayerContext on macOS that can get the CoreAnimation rendering context directly, but through exploring we found the MIG function _XRegisterClient can be used to replace CGSCreateLayerContext. First, attacker should open the service com.apple.CARenderServer(Can be accessed from sandbox), and then call _XRegisterClient by mach_msg with message id 40202.
• To reproruce this issue on iOS 12 beta, you should use latest 1Xcode-beta(For latest SDK).
• You should import IOKit framework headers according www.malhal.com. Note that the destination directories should be changed to your Xcode-beta Application.
• The code lies in function application didFinishLaunchingWithOptions, and will be triggerd when the application starts.
• When the Application has been installed, just start the applicationios-sbe.

 

Exploit

Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed