New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Oct 2015
Cc:



Sign in to add a comment
OS X coreaudiod calls uninitialized function pointer
Project Member Reported by ianbeer@google.com, Jul 28 2015 Back to list
Reporting on behalf of Mark Brand:

/usr/sbin/coreaudiod vends the com.apple.audio.coreaudiod service. As well as the MiG services implemented in the subsystem at off_1000DCDA0 this service also listens for a handful of other msgh_id's via the CFRunLoopSourceCreate call in sub_10007693E. This initializes a CFRunLoopSourceContext1 struct setting the perform callback to sub_100076ABA and mallocing a 0x28 byte buffer for the info struct to be passed as the fourth argument to the perform callback. sub_10007693E doesn't initialize all the fields of this structure, and if we send a mach message with msgh_id = 0x46 then the perform handler will call the uninitialized function pointer at offset 0x10 in this structure.

I am able to reproduce the crash without MallocPreScribble enabled, but that would obviously make the crash even clearer.

com.apple.audio.coreaudiod is reachable from various sandboxes including the Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless it has access to various other interesting attack surfaces which safari doesn't, allowing this bug to potentially form part of a full sandbox escape chain.

PoC tested on OS X 10.10.4 14E46.
 
marks_poc_coreaudiod_min.py
4.2 KB View Download
Project Member Comment 1 by ianbeer@google.com, Jul 28 2015
Labels: Reported-2015-Jul-28 Id-626019134
Project Member Comment 2 by ianbeer@google.com, Oct 22 2015
Labels: CVE-2015-7003
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT205375
Project Member Comment 3 by ianbeer@google.com, Oct 22 2015
Labels: Fixed-2015-Oct-21
Project Member Comment 4 by ianbeer@google.com, Jan 27 2016
Labels: -Restrict-View-Commit
Sign in to add a comment