One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8300585 |
| Date de publication | 2023-01-12 08:59:29 (vue: 2023-01-12 17:07:08) |
| Titre | DER Entitlements: The (Brief) Return of the Psychic Paper |
| Texte | Posted by Ivan Fratric, Project Zero Note: The vulnerability discussed here, CVE-2022-42855, was fixed in iOS 15.7.2 and macOS Monterey 12.6.2. While the vulnerability did not appear to be exploitable on iOS 16 and macOS Ventura, iOS 16.2 and macOS Ventura 13.1 nevertheless shipped hardening changes related to it. Last year, I spent a lot of time researching the security of applications built on top of XMPP, an instant messaging protocol based on XML. More specifically, my research focused on how subtle quirks in XML parsing can be used to undermine the security of such applications. (If you are interested in learning more about that research, I did a talk on it at Black Hat USA 2022. The slides and the recording can be found here and here). At some point, when a part of my research was published, people pointed out other examples (unrelated to XMPP) where quirks in XML parsing led to security vulnerabilities. One of those examples was a vulnerability dubbed Psychic Paper, a really neat vulnerability in the way Apple operating system checks what entitlements an application has. Entitlements are one of the core security concepts of Apple’s operating systems. As Apple’s documentation explains, “An entitlement is a right or privilege that grants an executable particular capabilities.” For example, an application on an Apple operating system can’t debug another application without possessing proper entitlements, even if those two applications run as the same user. Even applications running as root can’t perform all actions (such as accessing some of the kernel APIs) without appropriate entitlements. Psychic Paper was a vulnerability in the way entitlements were checked. Entitlements were stored inside the application’s signature blob in the XML format, so naturally the operating system needed to parse those at some point using an XML parser. The problem was that the OS didn’t have a single parser for this, but rather a staggering four parsers that were used in different places in the operating system. One parser was used for the initial check that the application only has permitted entitlements, and a different parser was later used when checking whether the application has an entitlement to perform a specific action. |
| Envoyé | Oui |
| Condensat | #include “an “cont “cost “get “old “provisioning “starting “the “there &der &kcenoerror 6 : hookreplace :application :bar :com :get :keychain :skmme9e2y8 :testapp and are at boolean char* module cont der fatal integer is module sequence sizeof std::ios::beg std::ios::binary utf8string /createder 11k 128 2020 2022 3rd 42855 45k 4th 5th 690 :01 :255 = = getarg >osentitlements able about above accepts access accessing according action actions actions: actual actually add addition additional additionally addr address addressed after again against albertini algorithm algorithms all allow allow”:boolean allowed alone alphabetical also alternatively although always amfi amfid amfid as amfid calls amfid is amfid performs amfid process amfid receives amfid returns amfid to amfid via amfid which amfidif among analyze analyzed ange another any anymore anything api api: apis app app’s appear appears appl apple apple’s applemobilefileintegrity applemobilefileintegrity is applemobilefileintegrity itself applemobilefileintegrity kernel applemobilefileintegrity uses applemobilefileintegrity::amfientitlementgetbool or application application’s applications applied appropriate are argument array/sequence arrows arrows on article boldly asking attack attacker attacks attacks: attempted audience: authors away base based because becomes been before behave behaved behavior being believing below besides better between beyond bigger binaries binary bit black blob blobs blocks blocks1 blocks2 blog blue bodies bool boolean both bounds break brief bringing buffer bug bug: bugs built but bypass byte bytes cache call called caller calling calls can can’t capabilities case cases cause ccder cdhash cecontextissubset cecontextissubset function cecontextquery cecontextquery cecontextquery api cecontextquery function cehook ceinst ceinst::ceinst cemanagedcontextfromcfdata cemanagedcontextfromcfdata and cequery object cequerycontexttocfdictionary cequerycontexttocfdictionary and cequerycontexttocfdictionary function cequerycontexttocfdictionary or certain certainly certificate certificates ceserialize ceserialize and ceserializecfdictionary ceserializecfdictionary pair ceserializewithoptions ceserializewithoptions on ceserializewithoptions should ceserializewithoptionshook ceserializewithoptionshook::onfunctionentered cesizeserialization cesizeserialization and cesizeserializationhook cesizeserializationhook::onfunctionentered cevalidate and cevalidate ensures cevalidate is cevalidate which cevalidate would cfdictionary cfpropertylistcreatewithdata cfpropertylistcreatewithdata and chain challenge change changed changes char * char *der; char* cheaper check checked checking checking: checks children choice chosen claim class class ceinst : public tinyinst class ceserializewithoptionshook : public hookreplace class cesizeserializationhook : public hookreplace classes client code codebase codedirectory codesign codesign utility collection collision collision” collisions com come comes common commonly completely complex component computes concepts conclusion condition conditions consequence considered construct constructed constructed type constructs contain contained container containing contains content continue continued contributors conversion conversion: convert converted converting converts core coretrust correct correctly corresponding corruption could couldn’t cpp cpp which cpus crafted create created createder creates ctevaluateamficodesignaturecms cumbersome cu |
| Tags | Vulnerability Guideline Prediction |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.