STRLCPY/0days-in-the-wild

Adding CVE-2022-24521

Change-Id: I438f73687ff3d03e96d2cb48ac9fa38ec8e9020c

Natalie Silvanovich committed with Maddie Stone 2 years ago

f076bb0b

1 parent 8e5ff557

Total 2 files Show one by one

■ ■ ■ ■ ■ ■

0day-RCAs/2022/CVE-2022-22675.md

1	+	# CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD
2	+	Natalie Silvanovich
3	+
4	+	## The Basics
5	+
6	+	Disclosure or Patch Date: March 31, 2022
7	+
8	+	Product: Apple iOS, MacOS
9	+
10	+	Advisory:
11	+
12	+	iOS: https://support.apple.com/en-us/HT213219
13	+
14	+	Mac: https://support.apple.com/en-us/HT213220
15	+
16	+	Affected Versions:
17	+
18	+	Reachable by thumbnailing media file: MacOS 12.3 / iOS 15.4
19	+
20	+	Reachable from local code only: MacOS 12.2.1 / iOS 15.3.1 and previous
21	+
22	+
23	+	First Patched Version: MacOS 12.3.1 / iOS 15.4.1
24	+
25	+	Issue/Bug Report: N/A
26	+
27	+	Patch CL: N/A
28	+
29	+	Bug-Introducing CL: N/A
30	+
31	+	Reporter(s): an anonymous researcher
32	+
33	+	## The Code
34	+
35	+	Proof-of-concept:
36	+
37	+	Partial PoC below triggers patch log output, but does not crash
38	+
39	+	https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22675.mp4
40	+
41	+	Exploit sample: N/A
42	+
43	+	Did you have access to the exploit sample when doing the analysis? N/A
44	+
45	+	## The Vulnerability
46	+
47	+	Bug class: Buffer overflow
48	+
49	+	Vulnerability details:
50	+
51	+	There is a buffer overflow when processing the Hardware Reference Device (HRD) of an H.264 stream in the function AVC_RBSP::parseHRD. The AppleAVD.kext kernel module reads values describing the bitrates of the HRD from the stream in a loop and copies them into a buffer. This buffer has a fixed size of 32 elements, meanwhile the number of elements copied is determined by the cpb_cnt_minus1 value read from the stream, which can have a maximum value of 255, allowing the buffer to be overflowed.
52	+
53	+	Note that while the advisories describe the impact of this issue as a local privilege escalation, it is theoretically possible to exploit it to achieve fully-remote code execution in MacOS 12.3/iOS 15.4. These versions use AppleAVD to perform thumbnailing of incoming images in iMessage, so this code path is available to a fully-remote attacker.
54	+
55	+	Patch analysis:
56	+
57	+	The patch tests whether the cpb_cnt_minus1 value is less than 32. If the check fails, it logs “ERROR: hrd.cpb_cnt_minus1” and returns, which terminates decoding
58	+
59	+	Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:
60	+
61	+	The vulnerability causes an overflow into other members of the decoder struct that contains the HRD buffer and does not extend into other allocations on the heap. Despite an in-depth analysis of this issue, we were unable to find a proof-of-concept media file that crashed the system, even after fuzzing with the trigger file above as a template for several days. This means that the condition that allowed the exploit was probably quite subtle, it is unlikely that the bug was found by fuzzing, so it was probably found by a manual audit of the binary.
62	+
63	+	## The Next Steps
64	+
65	+	### Variant analysis
66	+
67	+	Areas/approach for variant analysis (and why):
68	+
69	+	Several parsing functions in AppleAVD have recently became reachable when H.264 and H.265 streams are processed, including during thumbnailing of media files. This entire attack surface could use review.
70	+
71	+	Found variants: None
72	+
73	+	### Structural improvements
74	+
75	+	Other potential improvements:
76	+
77	+	The impact of similar vulnerabilities could be reduced by removing the H.264 parameter parsing code from the kernel and running it in a lower-privileged context.
78	+
79	+	## Other References
80	+
81	+	H.264 specification: https://www.itu.int/rec/T-REC-H.264
82	+

0day-RCAs/2022/CVE-2022-22675.mp4

Binary file.