New issue
Advanced search Search tips
Issue 241
Starred by 2 users
Status: Fixed
Owner:
ianbeer@google.com
Closed: Apr 2015
Cc:
project-...@google.com



Sign in to add a comment
 OS X sandbox escape due to multiple heap corruption bugs in fontd (FODBReviveFromDumpFile)
Project Member Reported by ianbeer@google.com, Jan 28 2015 Back to list 
See  issue 235  for how to reach this function with a controlled file.

FODBReviveFromDumpFile performs no bounds checking when parsing complicated attacker-controlled data. I've attached PoCs for three separate bugs here but there are many many more similar issues in this function. It appears to not have been written expecting to parse attacker-controlled data.

PoCs tested against OS X 10.10.2

fontd is an unsandboxed daemon reachable from many sandboxes including chrome and safari renderer processes.
fontd_1e_240_one.c
3.7 KB Download
fontd_1e_238.c
3.6 KB Download
fontd_1e_250.c
3.7 KB Download
Project Member Comment 1 by ianbeer@google.com, Jan 28 2015
Labels: Reported-2015-Jan-28 Id-618130643
Comment 2 by cevans@google.com, Jan 31 2015
Owner: ianbeer@google.com
(Setting owner to ianbeer@, since he's running vendor comms for this case)
Project Member Comment 3 by ianbeer@google.com, Apr 9 2015
Labels: CVE-2015-1133 Fixed-2015-Apr-08
Status: Fixed
https://support.apple.com/en-us/HT204659
Project Member Comment 4 by ianbeer@google.com, Apr 22 2015
Labels: -Restrict-View-Commit
Sign in to add a comment