Info Leak when Decoding SGBigUTF8String Class

vendor:

iMessage

by:

Exploit Database

4.3

CVSS

MEDIUM

Information Leak

200

CWE

Product Name: iMessage

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: macOS

2020

Info Leak when Decoding SGBigUTF8String Class

The SGBigUTF8String class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead. This class is included in iMessage, and could be useful in local attacks.

Mitigation:

Ensure that the bytes provided to the decoder are null terminated.

Source

Exploit-DB raw data:

There is an info leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.

While this class is included in iMessage, it is more likely that this bug could be useful in local attacks.

To reproduce this issue:

1) Compile decodeleak.m

clang -o decodeleak -g decodeleak.m -fobjc-arc -framework CoreSuggestionsInternals -F/System/Library/PrivateFrameworks

2) Run:

./decodeleaks obj

leaked memory will be printed to the screen.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47257.zip