One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221933 |
| Date de publication | 2022-08-24 12:04:12 (vue: 2022-11-25 18:05:33) |
| Titre | CVE-2021-30737, @xerub\'s 2021 iOS ASN.1 Vulnerability |
| Texte | Posted by Ian Beer, Google Project Zero This blog post is my analysis of a vulnerability found by @xerub. Phrack published @xerub's writeup so go check that out first. As well as doing my own vulnerability research I also spend time trying as best as I can to keep up with the public state-of-the-art, especially when details of a particularly interesting vulnerability are announced or a new in-the-wild exploit is caught. Originally this post was just a series of notes I took last year as I was trying to understand this bug. But the bug itself and the narrative around it are so fascinating that I thought it would be worth writing up these notes into a more coherent form to share with the community.Background On April 14th 2021 the Washington Post published an article on the unlocking of the San Bernardino iPhone by Azimuth containing a nugget of non-public information: "Azimuth specialized in finding significant vulnerabilities. Dowd [...] had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person." There's not that much Mozilla code running on an iPhone and even less which is likely to be part of such an attack surface. Therefore, if accurate, this quote almost certainly meant that Azimuth had exploited a vulnerability in the ASN.1 parser used by Security.framework, which is a fork of Mozilla's NSS ASN.1 parser. I searched around in bugzilla (Mozilla's issue tracker) looking for candidate vulnerabilities which matched the timeline discussed in the Post article and narrowed it down to a handful of plausible bugs including: 1202868, 1192028, 1245528. I was surprised that there had been so many exploitable-looking issues in the ASN.1 code and decided to add auditing the NSS ASN.1 parser as an quarterly goal. A month later, having predictably done absolutely |
| Envoyé | Oui |
| Condensat | #ifdef && parent &remaining #else &decoded &simple * */ /* /*port // 0x0 0x1 0x2 0x41 0x4a 0xff 2 a/osx/libsecurity asn1 buf conditional const char *buf from if in it item len may or parent phrack port pr sec secasn1item secitem *item services size so source state support the uint8 unsigned long len unwieldy used via which * *child; *cx *do* *must* *old* *parent *parent; *should* *state *top; + + + 1 +++ b/osx/libsecurity /*port 0 0 conditional 0 in 0 or 0 which 0x1f tells 0x23 0x40 1 case 1 parser 1 which 1024 11 package 1192028 1202868 1245528 127 13 @@ sec 1372 14th 15 @@ 1584 1794 19 +1791 1950 was 2000: 2001 2003 2016 2021 24th 26 +1469 30737 33 @@ 434 4:00 5 followed 5b4915a 100644 6 @@ loser: 7 +1692 9 +434 ; // = = 0; = 1; = afterendofcontents; = beforebitstring; = beforeendofcontents; = byte; = decodeerror; = duringbitstring; = duringleaf; = duringsequence; = needbytes; = new = null = null; = parent = port = sec = state = state; == 0 == 0 && == 1 == beforebitstring == sec > 0 >bit >consumed >contents >current >data >data = null; >data == null >data buffer >data is >data only >data pointer >data points >data should >data to >data was >dest >endofcontents >indefinite >len >length = 0; >length == 0 >our >pending >pending value >pending; >place >place field >place they >place to >status >substring >substring is >thetemplate >top >underlying @@ @xerub @xerub: a/osx/libsecurity abc able about above absolutely accept accessories accident: according accurate achieve achieved acted actual actually add added addition additional addressed after afterchoice afterconstructedstring afterendofcontents afterendofcontents: afterexplicit aftergroup afteridentifier afterimplicit afterinline afterlength afterlength state afterpointer aftersaveencoding again aggregated ago ahead all alloc allocate allocated allocates allocation allocations allocator almost alone along already already been also always analysis announced annoyed any anything anyway apart apis appeared appears appended appends apple apple file application approach april arbitrary are arena arenarelease around art article article on asan asap ascii ask asn asn1 asn1/lib/secasn1d asn1d asn1decode asn1decodercontext asn1decodercontext asn1decoderupdate asn1decoderupdate which asn1decoderupdate will assert assert which assume attack attempted audit auditing august away awesome azimuth azimuth containing b/osx/libsecurity back background bad based basic basically basics basis because been beer before beforebitstring beforebitstring state beforebitstring state: beforechoice beforeendofcontents beforeendofcontents then beforeendofcontents they beforeidentifier beforelength beginner beginning being believe believes below bending ber bernardino best between big bit bits bits in bitstring bitstring which bitstrings bitstrings are bitstrings have blog bmp string both bound bounds break; broad broken browser buf buf pointing buf: buffer buffers bug bugs bugzilla build builds built bunch but byte byte = byte > 7 bytes c which call call: called calls came can candidate cannot case case afteridentifier: case beforeidentifier: case duringidentifier: cases caught cause certainly certificate certifica |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.