mediaserverd XPC AudioFileServer Parsing Vulnerability
mediaserverd has various media parsing responsibilities; its reachable from various sandboxes and is able to talk to interesting kernel drivers so is a valid target in an exploit chain. One of the services it vends is com.apple.audio.AudioFileServer, a fairly simple XPC service which will parse audio files on behalf of clients and send them the raw bytes. Files are opened via their ipod-library:// URL; for the purposes of this PoC you will need to ensure there is at least one audio file in the iTunes library. The files are actually parsed by the AudioFileReadPacketData method; here's the prototype from the docs: OSStatus AudioFileReadPacketData(AudioFileID inAudioFile, Boolean inUseCache, UInt32 *ioNumBytes, AudioStreamPacketDescription *outPacketDescriptions, SInt64 inStartingPacket, UInt32 *ioNumPackets, void *outBuffer). The docs tell us the meaning of the ioNumBytes and outBuffer arguments: ioNumBytes On input, the size of the outBuffer parameter, in bytes. On output, the number of bytes actually read. outBuffer Memory that you allocate to hold the read packets. Determine an appropriate size by multiplying the number of packets requested (in the ioNumPackets parameter) by the typical packet size for the audio data in the file. For uncompressed audio formats, a packet is equal to a frame. For the purposes of the bug this function has memcpy semantics; the value pointed to by ioNumBytes will be considered the correct size of the output buffer; AudioFileReadPacketData will be unable to verify that; it's up to the caller. Looking at the code which calls this the values are derived from three values passed in the 'read' xpc message: numbytes (uint64), numpackets (uint64), starti (uint64)
