Apple iOS/macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]

EDB-ID: 42050
Author: Google Security Research
Published: 2017-05-23
CVE: CVE-2017-2523
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state.
It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to
CFCharacterSetGetPredefined or uses it directly to manipulate __NSBuiltinSetTable.
Neither path has any bounds checking and the index is used to maniupulate c arrays of pointers.

Attached python script will generate a serialized NSBuiltinCharacterSet with a value of 42
for the character set identifier.

tested on MacOS 10.12.3 (16D32)

Proof of Concept:

Related Posts