PAC aims to prevent an attacker with the ability to read and write memory from executing arbitrary code. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC.
1d4d2c1d8f30ccfd1c36adfae489b2a3A PAC and JIT hardening bypass exists in WebKit on iOS.
a3ac179138a9ac48c78209344b6266c3The DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations (and vice versa) during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds accesses and potentially other memory safety violations.
0b1a6974a8c2118b0cb88077ae99fe29This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.
2040ec95b119e742369ae8f7039cd437macOS and iOS have a vulnerability with ImageIO where memory safety issues occur when processing OpenEXR images.
dfd701d5c1fe94bd260c7c44d2b790ffAn issue in JSC leaves the data flow graph inconsistent. While fuzzing JavaScriptCore with fuzzilli, the researcher found a crash condition in JSC.
8ff3ad6a06cbb649d99f59f076aa906eOpenEXR suffers from multiple memory safety issues including out-of-bounds access.
8d08baf0c93f03a247b45a66e29d52b0macOS and iOS suffer from an ImageIO out-of-bounds read when processing PVR images.
65a5c4717babccedb508eed5edd77a7dmacOS and iOS have an ImageIO heap corruption issue when processing malformed PVR images.
09ee6affef93456d05af1a19df94303bImageIO on macOS suffers from an issue where a heap out-of-bounds write occurs when processing JPEG images.
97e1f93434c4368069b75479c4a0d5c6macOS and iOS suffer from an out-of-bounds read when processing DDS images with ImageIO.
744a77b150f3b9b90f322d4ef38f096dmacOS and iOS suffers from an ImageIO heap corruption vulnerability when processing malformed TIFF images.
f09a3684b3b87ef878c518dc38922c1ciMessage suffers from an issue where decoding NSSharedKeyDictionary can lead to out-of-bounds reads.
a2b5e05c79091ab5459b0ba4514324d3iMessage suffers from an issue where decoding NSSharedKeyDictionary can read an ObjC object at attacker controlled address.
44b9493651f02f67170dee4980389e1aJSC suffers from a type confusion vulnerability during bailout when reconstructing arguments objects.
6a4caa0c9a9e7558705c23bf516ebff4JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.
63f1952a7a692ab451a162d31ee902edV8 map migration does not respect element kind, leading to a type confusion vulnerability.
f6ab8a5e41409debf546a94e0e445037This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.
2e9ddb1606e5ec0f3068837fa5919c6cNSKeyedUnarchiver suffers from a use-after-free vulnerability with ObjC objects when unarchiving OITSUIntDictionary instances even if secureCoding is required.
70ef6bfcfed7ece0d7495dba139227e2JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.
1ab75d03880956f7d5252f34b059120aJavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.
f7edad8829fb8a634c008e209dbf7127In Spidermonkey, definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled.
79fc5823bfa08cae2fcfd2ee4bbcd32cSpidermonkey IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusion vulnerabilities.
b9cfb835c09f9ff2359a0ac43fb9d908This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
394148cda471deeb3abbfdccf622fa46Spidermonkey IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.
f548194e2e5ce1c18bacbf389f666b48
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed