Menu

Search for hundreds of thousands of exploits

"FaceTime - Texture Processing Memory Corruption"

Author

Exploit author

"Google Security Research"

Platform

Exploit platform

macos

Release date

Exploit published date

2019-02-20

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
There is a memory corruption issue that occurs when processing a malformed RTP video stream in FaceTime. It appears to be related to processing textures.

* thread #7, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00007fff56baaa92 CoreVideo`CVMetalTextureBacking::releaseBackingUsage() + 20
    frame #1: 0x00007fff56bae4c4 CoreVideo`CVMetalTextureCache::bufferBackingNotInUse(CVBufferBacking*) + 258
    frame #2: 0x00007fff56b9eac5 CoreVideo`CVBufferBacking::releaseUsage() + 79
    frame #3: 0x00007fff56bab20e CoreVideo`CVMetalTexture::finalize() + 42
    frame #4: 0x00007fff55093e7c CoreFoundation`_CFRelease + 284
    frame #5: 0x00007fff617bdac5 VideoToolbox`VTMetalTransferSessionTransferImageSync + 3096
    frame #6: 0x00007fff6176f4fb VideoToolbox`VTPixelTransferSessionTransferImage + 11922
    frame #7: 0x000000010629b3cb CMIOUnits`___lldb_unnamed_symbol331$$CMIOUnits + 773
    frame #8: 0x000000010629909e CMIOUnits`___lldb_unnamed_symbol325$$CMIOUnits + 1868
    frame #9: 0x0000000106297aa4 CMIOUnits`___lldb_unnamed_symbol322$$CMIOUnits + 5338
    frame #10: 0x000000010630bb3b CMIOUnits`___lldb_unnamed_symbol1297$$CMIOUnits + 347
    frame #11: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
    frame #12: 0x00000001062bf2bb CMIOUnits`___lldb_unnamed_symbol630$$CMIOUnits + 26
    frame #13: 0x00000001062f8061 CMIOUnits`___lldb_unnamed_symbol1126$$CMIOUnits + 65
    frame #14: 0x000000010630bac0 CMIOUnits`___lldb_unnamed_symbol1297$$CMIOUnits + 224
    frame #15: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
    frame #16: 0x00000001062bf2bb CMIOUnits`___lldb_unnamed_symbol630$$CMIOUnits + 26
    frame #17: 0x00000001062f8061 CMIOUnits`___lldb_unnamed_symbol1126$$CMIOUnits + 65
    frame #18: 0x0000000106316e34 CMIOUnits`___lldb_unnamed_symbol1387$$CMIOUnits + 376
    frame #19: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
    frame #20: 0x0000000106317612 CMIOUnits`___lldb_unnamed_symbol1392$$CMIOUnits + 54
    frame #21: 0x00000001062c009c CMIOUnits`___lldb_unnamed_symbol654$$CMIOUnits + 55
    frame #22: 0x00007fff560868c9 CoreMediaIO`CMIOGraph::PullOutputUnits(bool, bool&, bool&, bool&) + 279
    frame #23: 0x00007fff56086eee CoreMediaIO`CMIOGraph::DoWork(unsigned int) + 836
    frame #24: 0x00007fff56089543 CoreMediaIO`CMIO::Thread::QueuedTWorkThread<unsigned int>::DoWork() + 125
    frame #25: 0x00007fff56092c67 CoreMediaIO`CMIO::Thread::SignaledThread::ThreadLoop() + 227
    frame #26: 0x00007fff56092b5a CoreMediaIO`CMIO::Thread::SignaledThread::WorkQueuedThreadCallback(void*) + 154
    frame #27: 0x00007fff55f6c98b CoreMedia`figThreadMain + 277
    frame #28: 0x00007fff7d10c661 libsystem_pthread.dylib`_pthread_body + 340
    frame #29: 0x00007fff7d10c50d libsystem_pthread.dylib`_pthread_start + 377
    frame #30: 0x00007fff7d10bbf9 libsystem_pthread.dylib`thread_start + 13
(lldb) down
frame #0: 0x00007fff56baaa92 CoreVideo`CVMetalTextureBacking::releaseBackingUsage() + 20
CoreVideo`CVMetalTextureBacking::releaseBackingUsage:
->  0x7fff56baaa92 <+20>: jmpq   *0x48(%rax)
    0x7fff56baaa95 <+23>: popq   %rbp
    0x7fff56baaa96 <+24>: retq   
    0x7fff56baaa97 <+25>: nop    

Additional crash dumps are attached.

This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS and Mac. I tested on iOS 12.1.1 and Mac OS X 10.13.6.

To reproduce issue on a Mac:

1) Add the line:

	(subpath "/out")

to the (allow file-read* file-write* section of  /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb 

2) Add the line:

	(allow file-read* file-write*
		(subpath "/out"))

to com.apple.identityservicesd.sb and restart the host


3) Compile video-replay-avc.cpp using:

	g++ -std=c++11 -g -dynamiclib -o librecord.so video-replay-avc.cpp

4) Copy the output lib, librecord.so to /usr/lib/libSP.so

5) Sign the library by calling:

	sudo codesign -f -s - /usr/lib/libSP.so

6) Compile video-replay-identity.cpp using:

	g++ -std=c++11 -g -dynamiclib -o librecord_IDS.so video-replay-identity.cpp

7) Copy the output lib, librecord_IDS.so to /usr/lib/libSP_IDS.so

8) Sign the library by calling:

	sudo codesign -f -s - /usr/lib/libSP_IDS.so

9) Download and build https://github.com/Tyilo/insert_dylib

10) Copy /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference to a local directory and run the command below.

	insert_dylib --strip-codesig /usr/lib/libSP.so AVConference

11) Copy AVConference_patched to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference

12) Sign the binary by calling:

	sudo codesign -f -s - /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference

13) Copy /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation to a local directory and run the command below.

	insert_dylib --strip-codesig /usr/lib/libSP_IDS.so IDSFoundation

14) Run the following commands, quickly, in sequence:

	sudo cp IDSFoundation_patched /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation
	sudo codesign -f -s - /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation

NOTE: If you are too slow, the terminal may crash because it detects IDSFoundation is unsigned. If this happens, open up the terminal and try the codesign call again. The terminal usually stays open a second or two before it crashes.

15) Extract out.zip into /out and make it world readable

16) Kill the avconferenced and identityservicesd processes. They will restart automatically

17) Make a FaceTime call to the target.

I performed these steps on a MacBook Air running 10.14.1

Taking a second look at this, the root cause of this issue is probably an overflow in splitting RED packets:

0   libsystem_platform.dylib      	0x00007fff7d106164 _platform_memmove$VARIANT$Haswell + 580
1   com.apple.AVConference        	0x00007fff646cb3f9 VCAudioRedBuilder_UpdateAudioPacketWithRedPayload + 50
2   com.apple.AVConference        	0x00007fff6486360b _VCAudioReceiver_SplitRedPacket + 166
3   com.apple.AVConference        	0x00007fff648646e7 _VCAudioReceiver_ProcessRTPPacket + 140
4   com.apple.AVConference        	0x00007fff64861c40 _VCAudioReceiver_ReceiveProc + 272
5   com.apple.AVConference        	0x00007fff64824db1 VCRealTimeThread_ThreadProc + 601
6   com.apple.CoreMedia           	0x00007fff55f6c98b figThreadMain + 277
7   libsystem_pthread.dylib       	0x00007fff7d10c661 _pthread_body + 340
8   libsystem_pthread.dylib       	0x00007fff7d10c50d _pthread_start + 377
9   libsystem_pthread.dylib       	0x00007fff7d10bbf9 thread_start + 13


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46433.zip
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl"
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-20 "VMware Fusion 11.5.2 - Privilege Escalation" local macos "Rich Mirch"
2020-03-17 "VMWare Fusion - Local Privilege Escalation" local macos Grimm
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-04 "Apple macOS 10.15.1 - Denial of Service (PoC)" dos macos 08Tc3wBB
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-09-19 "macOS 18.7.0 Kernel - Local Privilege Escalation" local macos A2nkF
Release Date Title Type Platform Author
2020-02-10 "usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init" dos linux "Google Security Research"
2020-02-10 "iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()" dos multiple "Google Security Research"
2020-01-28 "macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image" dos multiple "Google Security Research"
2020-01-14 "WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM" dos android "Google Security Research"
2020-01-14 "Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN" dos android "Google Security Research"
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-12-16 "Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds" local linux "Google Security Research"
2019-12-11 "Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-22 "Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback" dos windows "Google Security Research"
2019-11-20 "Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path" dos linux "Google Security Research"
2019-11-20 "Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs" dos linux "Google Security Research"
2019-11-20 "iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd" dos ios "Google Security Research"
2019-11-11 "iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address" dos multiple "Google Security Research"
2019-11-11 "Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)" dos windows "Google Security Research"
2019-11-11 "Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-05 "JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects" dos multiple "Google Security Research"
2019-11-05 "WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive" dos multiple "Google Security Research"
2019-10-30 "JavaScriptCore - GetterSetter Type Confusion During DFG Compilation" dos multiple "Google Security Research"
2019-10-28 "WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed" dos multiple "Google Security Research"
2019-10-21 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-10-04 "Android - Binder Driver Use-After-Free" local android "Google Security Research" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected