232 - OS X sandbox escape due to fontd trusting client-supplied pointers - project-zero

Starred by 4 users

Status:	Fixed
Owner:	ianbeer@google.com
Closed:	Apr 2015
Cc:	project-...@google.com
Id-617956035 CVE-2015-1131 Finder-ianbeer Deadline-90 Fixed-2015-Apr-08 Vendor-Apple Product-fontd Reported-2015-Jan-24 CCProjectZeroMembers Severity-High

OS X sandbox escape due to fontd trusting client-supplied pointers

Project Member Reported by ianbeer@google.com, Jan 24 2015

Back to list

The bug is pretty simple - the com.apple.FontObjectsServer method with msgh_id 0x2c calls DoHandleXTURLActionMessage which
treats the first qword in the controlled mach message payload as an objective-c object pointer. This makes no sense and
is pretty trivial to turn into reliable arbitrary code execution.

com.apple.FontObjectsServer is implemented in libATSServer.dylib which is loaded in the fontd process.
fontd isn't sandboxed and it's reachable from most sandboxes including safari and chrome renderers.

This PoC will run the shell command you give it below as a regular, unsandboxed user. Build it as a dylib
to easily load it inside a sandboxed process to demonstrate the impact.

PoC tested on Yosemite 10.10.1 - a bunch of offsets are hardcoded for that version, you will have to fix the ROP for other versions.

fontd_client.c
9.3 KB Download

Project Member Comment 1 by ianbeer@google.com, Jan 24 2015

Labels: Reported-2015-Jan-24 Id-617956035

Project Member Comment 2 by ianbeer@google.com, Apr 9 2015

Labels: CVE-2015-1131 Fixed-2015-Apr-08
Status: Fixed

https://support.apple.com/en-us/HT204659

Project Member Comment 3 by ianbeer@google.com, Apr 22 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment