Wednesday, July 30, 2014

Mac OS X and iPhone sandbox escapes

Posted by Chris Evans, Finder of None Of These

As part of our launch manifesto, we committed to openness and transparency, including sharing full details of our research.

About a month ago, Apple released two security advisories which fixed some Project Zero findings. Today, we’re releasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical details by making some bugs public. Why now? Generally, we’ll always wait a little while after a patch is available, to give users time to apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patch.

We won’t be writing a blog post for every set of bugs we make public. The main reason for this particular blog post is to highlight our process for making bugs public. That said, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are some interesting bug details available as of today! To highlight a few:

  • These two bugs describe a heap corruptions in launchd. launchd is a service that sandboxed processes can talk to and it runs unsandboxed. Therefore memory corruptions in this process are an excellent sandbox escape. As you can see, this bug was discovered by code auditing.
  • This OS X bug fully demonstrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to read arbitrary kernel memory from within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sandbox. As you can see, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proof of concept C code is attached for you to study.
  • This OS X bug covers a very interesting validation failure leading to an integer underflow, leading in turn to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel trying to read a kernel structure from a non-NULL userspace address. The kernel structure involved contains a function pointer so getting in-kernel code execution at a chosen address follows trivially. An annotated analysis of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 faulty assembly instructions is included.
  • This OS X bug covers NULL pointer dereferences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel—four in fact. It goes into detail about which circumstances result in sandbox escapes and which are “only” privilege escalations. Two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bugs are quite neat because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y call an attacker-specified offset from a good vtable base. Because this situation does not involve knowing any absolute kernel addresses, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug could be used to both defeat kernel ASLR and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n gain kernel code execution.

If you want a single URL to enumerate all of our publicly viewable bugs, click here. Enjoy! And thanks for following Project Zero.

No comments:

Post a Comment