Menu

Improved exploit search engine. Try it out

"FaceTime - Texture Processing Memory Corruption"

Author

"Google Security Research"

Platform

macos

Release date

2019-02-20

Release Date Title Type Platform Author
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation" local macos "Mark Wadham"
Release Date Title Type Platform Author
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-24 "VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation" local windows "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "WebKitGTK+ - 'ThreadedCompositor' Race Condition" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46433/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46433/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46433/40891/facetime-texture-processing-memory-corruption/download/", "exploit_id": "46433", "exploit_description": "\"FaceTime - Texture Processing Memory Corruption\"", "exploit_date": "2019-02-20", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "macos", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
There is a memory corruption issue that occurs when processing a malformed RTP video stream in FaceTime. It appears to be related to processing textures.

* thread #7, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00007fff56baaa92 CoreVideo`CVMetalTextureBacking::releaseBackingUsage() + 20
    frame #1: 0x00007fff56bae4c4 CoreVideo`CVMetalTextureCache::bufferBackingNotInUse(CVBufferBacking*) + 258
    frame #2: 0x00007fff56b9eac5 CoreVideo`CVBufferBacking::releaseUsage() + 79
    frame #3: 0x00007fff56bab20e CoreVideo`CVMetalTexture::finalize() + 42
    frame #4: 0x00007fff55093e7c CoreFoundation`_CFRelease + 284
    frame #5: 0x00007fff617bdac5 VideoToolbox`VTMetalTransferSessionTransferImageSync + 3096
    frame #6: 0x00007fff6176f4fb VideoToolbox`VTPixelTransferSessionTransferImage + 11922
    frame #7: 0x000000010629b3cb CMIOUnits`___lldb_unnamed_symbol331$$CMIOUnits + 773
    frame #8: 0x000000010629909e CMIOUnits`___lldb_unnamed_symbol325$$CMIOUnits + 1868
    frame #9: 0x0000000106297aa4 CMIOUnits`___lldb_unnamed_symbol322$$CMIOUnits + 5338
    frame #10: 0x000000010630bb3b CMIOUnits`___lldb_unnamed_symbol1297$$CMIOUnits + 347
    frame #11: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
    frame #12: 0x00000001062bf2bb CMIOUnits`___lldb_unnamed_symbol630$$CMIOUnits + 26
    frame #13: 0x00000001062f8061 CMIOUnits`___lldb_unnamed_symbol1126$$CMIOUnits + 65
    frame #14: 0x000000010630bac0 CMIOUnits`___lldb_unnamed_symbol1297$$CMIOUnits + 224
    frame #15: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
    frame #16: 0x00000001062bf2bb CMIOUnits`___lldb_unnamed_symbol630$$CMIOUnits + 26
    frame #17: 0x00000001062f8061 CMIOUnits`___lldb_unnamed_symbol1126$$CMIOUnits + 65
    frame #18: 0x0000000106316e34 CMIOUnits`___lldb_unnamed_symbol1387$$CMIOUnits + 376
    frame #19: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
    frame #20: 0x0000000106317612 CMIOUnits`___lldb_unnamed_symbol1392$$CMIOUnits + 54
    frame #21: 0x00000001062c009c CMIOUnits`___lldb_unnamed_symbol654$$CMIOUnits + 55
    frame #22: 0x00007fff560868c9 CoreMediaIO`CMIOGraph::PullOutputUnits(bool, bool&, bool&, bool&) + 279
    frame #23: 0x00007fff56086eee CoreMediaIO`CMIOGraph::DoWork(unsigned int) + 836
    frame #24: 0x00007fff56089543 CoreMediaIO`CMIO::Thread::QueuedTWorkThread<unsigned int>::DoWork() + 125
    frame #25: 0x00007fff56092c67 CoreMediaIO`CMIO::Thread::SignaledThread::ThreadLoop() + 227
    frame #26: 0x00007fff56092b5a CoreMediaIO`CMIO::Thread::SignaledThread::WorkQueuedThreadCallback(void*) + 154
    frame #27: 0x00007fff55f6c98b CoreMedia`figThreadMain + 277
    frame #28: 0x00007fff7d10c661 libsystem_pthread.dylib`_pthread_body + 340
    frame #29: 0x00007fff7d10c50d libsystem_pthread.dylib`_pthread_start + 377
    frame #30: 0x00007fff7d10bbf9 libsystem_pthread.dylib`thread_start + 13
(lldb) down
frame #0: 0x00007fff56baaa92 CoreVideo`CVMetalTextureBacking::releaseBackingUsage() + 20
CoreVideo`CVMetalTextureBacking::releaseBackingUsage:
->  0x7fff56baaa92 <+20>: jmpq   *0x48(%rax)
    0x7fff56baaa95 <+23>: popq   %rbp
    0x7fff56baaa96 <+24>: retq   
    0x7fff56baaa97 <+25>: nop    

Additional crash dumps are attached.

This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS and Mac. I tested on iOS 12.1.1 and Mac OS X 10.13.6.

To reproduce issue on a Mac:

1) Add the line:

	(subpath "/out")

to the (allow file-read* file-write* section of  /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb 

2) Add the line:

	(allow file-read* file-write*
		(subpath "/out"))

to com.apple.identityservicesd.sb and restart the host


3) Compile video-replay-avc.cpp using:

	g++ -std=c++11 -g -dynamiclib -o librecord.so video-replay-avc.cpp

4) Copy the output lib, librecord.so to /usr/lib/libSP.so

5) Sign the library by calling:

	sudo codesign -f -s - /usr/lib/libSP.so

6) Compile video-replay-identity.cpp using:

	g++ -std=c++11 -g -dynamiclib -o librecord_IDS.so video-replay-identity.cpp

7) Copy the output lib, librecord_IDS.so to /usr/lib/libSP_IDS.so

8) Sign the library by calling:

	sudo codesign -f -s - /usr/lib/libSP_IDS.so

9) Download and build https://github.com/Tyilo/insert_dylib

10) Copy /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference to a local directory and run the command below.

	insert_dylib --strip-codesig /usr/lib/libSP.so AVConference

11) Copy AVConference_patched to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference

12) Sign the binary by calling:

	sudo codesign -f -s - /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference

13) Copy /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation to a local directory and run the command below.

	insert_dylib --strip-codesig /usr/lib/libSP_IDS.so IDSFoundation

14) Run the following commands, quickly, in sequence:

	sudo cp IDSFoundation_patched /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation
	sudo codesign -f -s - /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation

NOTE: If you are too slow, the terminal may crash because it detects IDSFoundation is unsigned. If this happens, open up the terminal and try the codesign call again. The terminal usually stays open a second or two before it crashes.

15) Extract out.zip into /out and make it world readable

16) Kill the avconferenced and identityservicesd processes. They will restart automatically

17) Make a FaceTime call to the target.

I performed these steps on a MacBook Air running 10.14.1

Taking a second look at this, the root cause of this issue is probably an overflow in splitting RED packets:

0   libsystem_platform.dylib      	0x00007fff7d106164 _platform_memmove$VARIANT$Haswell + 580
1   com.apple.AVConference        	0x00007fff646cb3f9 VCAudioRedBuilder_UpdateAudioPacketWithRedPayload + 50
2   com.apple.AVConference        	0x00007fff6486360b _VCAudioReceiver_SplitRedPacket + 166
3   com.apple.AVConference        	0x00007fff648646e7 _VCAudioReceiver_ProcessRTPPacket + 140
4   com.apple.AVConference        	0x00007fff64861c40 _VCAudioReceiver_ReceiveProc + 272
5   com.apple.AVConference        	0x00007fff64824db1 VCRealTimeThread_ThreadProc + 601
6   com.apple.CoreMedia           	0x00007fff55f6c98b figThreadMain + 277
7   libsystem_pthread.dylib       	0x00007fff7d10c661 _pthread_body + 340
8   libsystem_pthread.dylib       	0x00007fff7d10c50d _pthread_start + 377
9   libsystem_pthread.dylib       	0x00007fff7d10bbf9 thread_start + 13


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46433.zip