header-logo
Suggest Exploit
vendor:
MacOS
by:
Project Zero
7,8
CVSS
HIGH
Integer Overflow
190
CWE
Product Name: MacOS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: MacOS 10.12.3 (16D32)
2017

CAMediaTimingFunctionBuiltin Integer Overflow

CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method reads an Int 'index' then passes that to builtin_function. If rax is non-null it's returned as an objective-c object pointer and the objective-c retain selector is sent to it. Serialized poc in attached file with an index of 12345678.

Mitigation:

Ensure that the index value is within the expected range.
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1175

CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method
reads an Int "index" then passes that to builtin_function

  mov     ebx, edi <-- controlled unsigned int
  mov     r14d, ebx
  lea     r15, __ZL9functions_0 ; functions
  mov     rax, [r15+r14*8]

if rax is non-null it's returned as an objective-c object pointer and the objective-c retain
selector is sent to it.

Serialized poc in attached file with an index of 12345678.

tested on MacOS 10.12.3 (16D32)


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42052.zip

Navigation

Suggest Exploit

Services By CQR