One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221934 |
| Date de publication | 2022-08-24 12:04:44 (vue: 2022-11-25 18:05:33) |
| Titre | FORCEDENTRY: Sandbox Escape |
| Texte | Posted by Ian Beer & Samuel Groß of Google Project Zero We want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple’s Security Engineering and Architecture (SEAR) group for collaborating with us on the technical analysis. Any editorial opinions reflected below are solely Project Zero’s and do not necessarily reflect those of the organizations we collaborated with during this research. Late last year we published a writeup of the initial remote code execution stage of FORCEDENTRY, the zero-click iMessage exploit attributed by Citizen Lab to NSO. By sending a .gif iMessage attachment (which was really a PDF) NSO were able to remotely trigger a heap buffer overflow in the ImageIO JBIG2 decoder. They used that vulnerability to bootstrap a powerful weird machine capable of loading the next stage in the infection process: the sandbox escape. In this post we'll take a look at that sandbox escape. It's notable for using only logic bugs. In fact it's unclear where the features that it uses end and the vulnerabilities which it abuses begin. Both current and upcoming state-of-the-art mitigations such as Pointer Authentication and Memory Tagging have no impact at all on this sandbox escape.An observation During our initial analysis of the .gif file Samuel noticed that rendering the image appeared to leak memory. Running the heap tool after releasing all the associated resources gave the following output: $ heap $pid ------------------------------------------------------------ All zones: 4631 nodes (826336 bytes) COUNT BYTES AVG CLASS_NAME TYPE BINARY ===== ===== === ========== ==== ====== 1969 469120 238.3 non-object 825 26400 32.0 JBIG2Bitmap C++ CoreGraphics |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $pid $versi| 24 26400 32 4e 62 64 69 6a 6f 7ffa22c4c000 825 ===== @ axspeechimplementation builds by bytes c++ completion: componentswithstring: contains count datawithcontentsofurl: decompresseddatausingalgorithm:3 find forkey: forkey:@ has identity: is key: nskeye| objectforkey:@ on options: returns running setobject: slideshowkit the then to under value: which | |bplist00| |darchive| |iverx$ob| |jectst$t| |ony$arch| |op /system/library/accessibilitybundles/ /system/library/accessibilitybundles/axspeechimplementation /system/library/frameworks/avfaudio /system/library/privateframeworks/ /system/library/privateframeworks/sharing /system/library/privateframeworks/slideshowkit /tmp/com 00000000 00000018 00000020 00000028 00000030 00000038 00000040 00000048 18a8395 1969 2007 2019 2020 238 394681493 4631 469120 7ffa22d44000 826336 === ==== ====== ========== >condition >rows then >settings `pgrep aaa aaaa abc abcdef ability able about abuses accept access accessibilitysharedsupport accessibilityutilities according across add added addentriesfromdictionary: addition additionally address address option advent aes128 aes128decryptwithpassword:nsdata after against aggregate ahead akdevice all allobjects alloc allocate allocates allow allowable allowed allowevaluation allowevaluation method allowevaluation: allowing allows alltmpfiles almost already also always amount amskeepalive analysis analyze another any anything appeared appears apple apple’s applemediaservices keepalive object arbitrary arbitrary method architecture are arg arg1 arg2 arg2 argument arg3 arg3; arg4; argument arguments arm around array arraybyaddingobject: arraywithobject: art asmkeepalive object assign assigns associated assuming attached attachment attack attacker attackers attempt attributed audit authentication authkit isn authkit which author is automatically available average avfaudio avg avspeechsynthesisvoice avspeechsynthesisvoice class avspeechsynthesisvoice is avspeechsynthesisvoice object axspeechimplementation based basic example beautified because been beer before begin beginswith being below beyond big bin binary bit bitmap blob blocks blog bootstrap both boundaries bplist00 bplist00 binary breaking broadly buffer bug bugs build builder building buildnumber builds built bundle bundle library bundle to bundle/axspeechimplementation bundle; bundlewithpath: bundlewithpath:@ but bytes c:expression cache calicalendaranonymizer call called calls can case cases cast cast which casting cause causes certain certainly chain challenge changes check citizen class classdump can classes cleanup clearly click cloudfront code code: coder codes collaborated collaborating collection collections com com/library/archive/documentation/macosx/conceptual/bpsystemstartup/chapters/creatingxpcservices combination come command commcenter commcenter commcenter is commcenter process commcenter target commcenter to commcenter: commcenter` complex computational conclusion condition condition and conditions connected considers constrained constraining consumer contained containing contains contents context context:evaluatemobilesubscriberidentity: context:nil context:x control convert copies copy core coregraphics coretelephony coretelephonyclient correct corresponds corruption could count cover create created creating critical ctf dezhouinstrumenz challenge ctxpcservicecarrierbundleinterface ctxpcservicesubscriberinterface ctxpcservicesubscriptioncontext current data datawithcontentsofurl: dealloc selector decimal declared declares decodeobjectofclass:nspredicate decodeobjectofclasses:allowed decoder decompr |
| Tags | Vulnerability Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.