Apple iOS/macOS - NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking in 'CAMediaTimingFunctionBuiltin'

EDB-ID: 42052
Author: Google Security Research
Published: 2017-05-23
CVE: CVE-2017-2527
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method
reads an Int "index" then passes that to builtin_function

mov ebx, edi <-- controlled unsigned int
mov r14d, ebx
lea r15, __ZL9functions_0 ; functions
mov rax, [r15+r14*8]

if rax is non-null it's returned as an objective-c object pointer and the objective-c retain
selector is sent to it.

Serialized poc in attached file with an index of 12345678.

tested on MacOS 10.12.3 (16D32)

Proof of Concept:

Related Posts