iMessage NSSharedKeyDictionary Decode Out-Of-Bounds Read

2019.11.12
Credit: saelo
Risk: Low
Local: No
Remote: Yes
CWE: N/A

iMessage: decoding NSSharedKeyDictionary can lead to out-of-bounds reads During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also implement secure coding can then be deserialized as well. NSSharedKeyDictionary is an example of such a subclass. A NSSharedKeyDictionary is a dictionary for which, for performance reasons, the keys are predefined using a NSSharedKeySet. A NSSharedKeyDictionary is essentially a linear array of values and a pointer to its NSSharedKeySet. An NSSharedKeySet on the other hand looks roughly like this (with some fields omitted for simplicity and translated to pseudo-C): struct NSSharedKeySet { unsigned int _numKeys; // The number of keys in the _keys array id* _keys; // A pointer to an array containing the key values unsigned int _rankTable; // A table basically mapping the hashes of // the keys to an index into _keys unsigned int _M; // The size of the _rankTable unsigned int _factor; // Used to compute the index into _rankTable from a hash. NSSharedKeySet* _subKeySet; // The next KeySet in the chain }; The value lookup on an NSSharedKeyDictionary then works roughly as follows: * NSSharedKeyDictionary invokes [NSSharedKeySet indexForKey:] on its associated keySet * indexForKey: computes the hash of the key, basically computes rti = hash % _factor, bounds-checks that against _M, and finally uses it to lookup the index in its rankTable: idx = _rankTable[rti] * It verifies that idx < _numKeys * It loads _keys[idx] and invokes [key isEqual:candidate] with it as argument * If the result is true, the index has been found and is returned to the NSSharedKeyDictionary where it is used to index into its values array * If not, indexForKey: recursively processes the subKeySet in the same way until it either finds the key or there is no subKeySet left, in which case it returns -1 There is a bug in the implementation of indexForKey: where, for the bounds check against the rankTable size, it uses the size (_M) from the original NSSharedKeySet instead of the current one, as can be seen in the assembly code below (from CoreFoundation.framework): [NSSharedKeySet indexForKey:] ... ; store first NSSharedKeySet into r12 __text:00000000000ED1EB mov r12, rdi ... ; store current NSSharedKeySet into r15 and start loop __text:00000000000ED275 mov r15, r12 ... ; load _M from the first NSSharedKeySet and bounds check against that value __text:00000000000ED335 mov rax, [rbp+var_88] __text:00000000000ED33C mov r13d, [r12+rax] __text:00000000000ED340 cmp ebx, r13d __text:00000000000ED343 jnb loc_ED418 ... ; load the table from the current NSSharedKeySet and index into it __text:00000000000ED352 mov rax, [rbp+var_70] __text:00000000000ED356 mov r8, [r15+rax] __text:00000000000ED35A shr esi, 2 __text:00000000000ED35D and esi, 1FFFFFFFh __text:00000000000ED363 movzx esi, byte ptr [r8+rsi] ... ; load the next NSSharedKeySet in the chain and repeat if possible __text:00000000000ED41C mov rax, [rbp+var_80] __text:00000000000ED420 mov r15, [r15+rax] As such, it is possible to read an index OOB by deserializing a specially crafted NSSharedKeyDictionary with two NSSharedKeySets chained together. The attached PoC demonstrates this on the latest macOS 10.14.6 Note that libgmalloc is required to reliably trigger a crash during the OOB access. > clang -o tester tester.m -framework Foundation > ./generator.py > DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./tester payload.xml GuardMalloc[tester-75873]: Allocations will be placed on 16 byte boundaries. GuardMalloc[tester-75873]: - Some buffer overruns may not be noticed. GuardMalloc[tester-75873]: - Applications using vector instructions (e.g., SSE) should work. GuardMalloc[tester-75873]: version 109 2019-07-29 16:52:37.736 tester[75873:536654] Let's go [1] 75873 segmentation fault DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./tester payload.xml As the value that is read out-of-bounds is an index into another table which is correctly bounds-checked, the security impact of this bug is limited. However, it might be possible to use it to construct a remote infoleak if a side channel can be constructed that indicates whether a message was successfully received or not. By then carefully reading indices out-of-bounds on the heap, the contents of adjacent memory might be inferable. iMessage delivery receipts, which are sent by default, might be usable for this purpose. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Related CVE Numbers: CVE-2019-8746. Found by: saelo@google.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top