This is a vulnerability that I found along with my friend Dhanesh while fuzzing iOS Safari in iPad Mini. The POC could trigger a UAF if invalid URLs were used in SRC attribute. Below is the crash
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xe000000c 0x39f7cb26 in objc_msgSend () (gdb) info registers r0 0x166afbe0 376110048 r1 0x32549ee6 844406502 r2 0x30108831 806389809 r3 0x3 3 r4 0x1658cdf0 374918640 r5 0x17826070 394420336 r6 0x0 0 r7 0x27d5ac2c 668314668 r8 0x166afbe0 376110048 r9 0xe0000000 -536870912 r10 0x17826070 394420336 r11 0x32549ee6 844406502 r12 0x3aaab220 984265248 sp 0x27d5ab98 668314520 lr 0x321756e3 840390371 pc 0x39f7cb26 972540710 (gdb) x/4x $r0 0x166afbe0: 0xe0000000 0xe0000000 0x00000002 0x00000032 (gdb) x/s $r1 0x32549ee6: "lastObject" (gdb) bt #0 0x39f7cb26 in objc_msgSend () #1 0x321756e2 in <redacted> () (gdb) x/i $pc 0x39f7cb26: b9 f8 0c c0 ldrh.w r12, [r9, #12]The crash occured in objc_msgSend(). The first argument $r0 points to the receiver object and the selector being "lastObject" pointed by $r1. The receiver object pointed by $r0 is freed memory where 0xe0000000 at $r0 and $r0+4 are heap meta-data pointing to next and prevoius free chunks. In this case its NULL. The 3rd DWORD is the quanta size.
0x39f7cb20 <objc_msgSend+0>: e8 b1 cbz r0, 0x39f7cb5e -> check for NULL 0x39f7cb22 <objc_msgSend+2>: d0 f8 00 90 ldr.w r9, [r0] -> r9 is loaded from r0 which is freed memory ; class = self->isa 0x39f7cb26 <objc_msgSend+6>: b9 f8 0c c0 ldrh.w r12, [r9, #12] -> r9 + 12 points to cache mask 0x39f7cb2a <objc_msgSend+10>: d9 f8 08 90 ldr.w r9, [r9, #8] -> r9 + 8 points to cache; cache = class->cache 0x39f7cb2e <objc_msgSend+14>: 0c ea 01 0c and.w r12, r12, r1 -> index 0x39f7cb32 <objc_msgSend+18>: 09 eb cc 09 add.w r9, r9, r12, lsl #3 -> r9 = cache + index << 3 ; compute cache entry 0x39f7cb36 <objc_msgSend+22>: d9 f8 00 c0 ldr.w r12, [r9] -> fetch selector 0x39f7cb3a <objc_msgSend+26>: 9c ea 01 0f teq r12, r1 -> check the selector 0x39f7cb3e <objc_msgSend+30>: 02 d1 bne.n 0x39f7cb46 -> if no cache hit 0x39f7cb40 <objc_msgSend+32>: d9 f8 04 c0 ldr.w r12, [r9, #4] -> fetch address of method 0x39f7cb44 <objc_msgSend+36>: 60 47 bx r12 -> jump to addressWith control over freed memory pointed by $r0 and subsequent control over other pointers, one could use bx r12 to control program execution. This issue was assigned CVE-2014-1349 and fixed in iOS 7.1.2.
No comments :
Post a Comment