1170 - NSUnarchiver heap corruption due to lack of bounds checking in [NSBuiltinCharacterSet initWithCoder:] - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	May 2017
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Reported-2017-Mar-09 Id-660945109 CVE-2017-2523

NSUnarchiver heap corruption due to lack of bounds checking in [NSBuiltinCharacterSet initWithCoder:]

Project Member Reported by ianbeer@google.com, Mar 8 2017

Back to list

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state.
It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to
CFCharacterSetGetPredefined or uses it directly to manipulate __NSBuiltinSetTable.
Neither path has any bounds checking and the index is used to maniupulate c arrays of pointers.

Attached python script will generate a serialized NSBuiltinCharacterSet with a value of 42
for the character set identifier.

tested on MacOS 10.12.3 (16D32)

builtincharset.zip
1.7 KB Download

Project Member Comment 1 by ianbeer@google.com, Mar 8 2017

Labels: Reported-2017-Mar-09

Project Member Comment 2 by ianbeer@google.com, Mar 8 2017

Labels: Id-660945109

Project Member Comment 3 by ianbeer@google.com, May 23 2017

Labels: CVE-2017-2523
Status: Fixed

Fixed in MacOS 10.12.5: https://support.apple.com/en-us/HT207797
Fixed in iOS 10.3.2: https://support.apple.com/kb/HT207798

This issue was missing from the original published advisories but they were updated on Monday May 22 2017 to include this issue.

Project Member Comment 4 by ianbeer@google.com, May 23 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment