New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Owner:
Closed: Apr 2015
Cc:



Sign in to add a comment
OS X sandbox escape due to fontd trusting client-supplied pointers
Project Member Reported by ianbeer@google.com, Jan 24 2015 Back to list
The bug is pretty simple - the com.apple.FontObjectsServer method with msgh_id 0x2c calls DoHandleXTURLActionMessage which
treats the first qword in the controlled mach message payload as an objective-c object pointer. This makes no sense and
is pretty trivial to turn into reliable arbitrary code execution.

com.apple.FontObjectsServer is implemented in libATSServer.dylib which is loaded in the fontd process.
fontd isn't sandboxed and it's reachable from most sandboxes including safari and chrome renderers.

This PoC will run the shell command you give it below as a regular, unsandboxed user. Build it as a dylib
to easily load it inside a sandboxed process to demonstrate the impact.

PoC tested on Yosemite 10.10.1 - a bunch of offsets are hardcoded for that version, you will have to fix the ROP for other versions.
 
fontd_client.c
9.3 KB Download
Project Member Comment 1 by ianbeer@google.com, Jan 24 2015
Labels: Reported-2015-Jan-24 Id-617956035
Project Member Comment 2 by ianbeer@google.com, Apr 9 2015
Labels: CVE-2015-1131 Fixed-2015-Apr-08
Status: Fixed
https://support.apple.com/en-us/HT204659
Project Member Comment 3 by ianbeer@google.com, Apr 22 2015
Labels: -Restrict-View-Commit
Sign in to add a comment