1175 - iOS/OS X NSKeyedArchiver memory corruption due to lack of bounds checking in CAMediaTimingFunctionBuiltin - project-zero

Starred by 2 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	May 2017
Cc:	project-...@google.com
Finder-ianbeer Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-MacOS Id-661033654 Reported-2017-Mar-10 Fixed-2017-May-15 CVE-2017-2527

iOS/OS X NSKeyedArchiver memory corruption due to lack of bounds checking in CAMediaTimingFunctionBuiltin

Project Member Reported by ianbeer@google.com, Mar 10 2017

Back to list

CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method
reads an Int "index" then passes that to builtin_function

  mov     ebx, edi <-- controlled unsigned int
  mov     r14d, ebx
  lea     r15, __ZL9functions_0 ; functions
  mov     rax, [r15+r14*8]

if rax is non-null it's returned as an objective-c object pointer and the objective-c retain
selector is sent to it.

Serialized poc in attached file with an index of 12345678.

tested on MacOS 10.12.3 (16D32)

functionbuiltin.zip
1.2 KB Download

Project Member Comment 1 by ianbeer@google.com, Mar 10 2017

Labels: Id-661033654 Reported-2017-Mar-10

Project Member Comment 2 by ianbeer@google.com, May 17 2017

Labels: -Product-iOS Product-MacOS Fixed-2017-May-15 CVE-2017-2527

Fixed in MacOS 10.12.5: https://support.apple.com/en-us/HT207797

Project Member Comment 3 by ianbeer@google.com, May 17 2017

Status: Fixed

Project Member Comment 4 by ianbeer@google.com, May 23 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment