■ ■ ■ ■ ■ ■
0day-RCAs/2022/CVE-2022-22675.md
| 1 | + | # CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD |
| 2 | + | *Natalie Silvanovich* |
| 3 | + | |
| 4 | + | ## The Basics |
| 5 | + | |
| 6 | + | **Disclosure or Patch Date:** March 31, 2022 |
| 7 | + | |
| 8 | + | **Product:** Apple iOS, MacOS |
| 9 | + | |
| 10 | + | **Advisory:** |
| 11 | + | |
| 12 | + | *iOS:* https://support.apple.com/en-us/HT213219 |
| 13 | + | |
| 14 | + | *Mac:* https://support.apple.com/en-us/HT213220 |
| 15 | + | |
| 16 | + | **Affected Versions:** |
| 17 | + | |
| 18 | + | *Reachable by thumbnailing media file:* MacOS 12.3 / iOS 15.4 |
| 19 | + | |
| 20 | + | *Reachable from local code only:* MacOS 12.2.1 / iOS 15.3.1 and previous |
| 21 | + | |
| 22 | + | |
| 23 | + | **First Patched Version:** MacOS 12.3.1 / iOS 15.4.1 |
| 24 | + | |
| 25 | + | **Issue/Bug Report:** N/A |
| 26 | + | |
| 27 | + | **Patch CL:** N/A |
| 28 | + | |
| 29 | + | **Bug-Introducing CL:** N/A |
| 30 | + | |
| 31 | + | **Reporter(s):** an anonymous researcher |
| 32 | + | |
| 33 | + | ## The Code |
| 34 | + | |
| 35 | + | **Proof-of-concept:** |
| 36 | + | |
| 37 | + | Partial PoC below triggers patch log output, but does not crash |
| 38 | + | |
| 39 | + | https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22675.mp4 |
| 40 | + | |
| 41 | + | **Exploit sample:** N/A |
| 42 | + | |
| 43 | + | **Did you have access to the exploit sample when doing the analysis?** N/A |
| 44 | + | |
| 45 | + | ## The Vulnerability |
| 46 | + | |
| 47 | + | **Bug class:** Buffer overflow |
| 48 | + | |
| 49 | + | **Vulnerability details:** |
| 50 | + | |
| 51 | + | There is a buffer overflow when processing the Hardware Reference Device (HRD) of an H.264 stream in the function *AVC_RBSP::parseHRD*. The AppleAVD.kext kernel module reads values describing the bitrates of the HRD from the stream in a loop and copies them into a buffer. This buffer has a fixed size of 32 elements, meanwhile the number of elements copied is determined by the *cpb_cnt_minus1* value read from the stream, which can have a maximum value of 255, allowing the buffer to be overflowed. |
| 52 | + | |
| 53 | + | Note that while the advisories describe the impact of this issue as a local privilege escalation, it is theoretically possible to exploit it to achieve fully-remote code execution in MacOS 12.3/iOS 15.4. These versions use AppleAVD to perform thumbnailing of incoming images in iMessage, so this code path is available to a fully-remote attacker. |
| 54 | + | |
| 55 | + | **Patch analysis:** |
| 56 | + | |
| 57 | + | The patch tests whether the *cpb_cnt_minus1* value is less than 32. If the check fails, it logs “ERROR: hrd.cpb_cnt_minus1” and returns, which terminates decoding |
| 58 | + | |
| 59 | + | **Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:** |
| 60 | + | |
| 61 | + | The vulnerability causes an overflow into other members of the decoder struct that contains the HRD buffer and does not extend into other allocations on the heap. Despite an in-depth analysis of this issue, we were unable to find a proof-of-concept media file that crashed the system, even after fuzzing with the trigger file above as a template for several days. This means that the condition that allowed the exploit was probably quite subtle, it is unlikely that the bug was found by fuzzing, so it was probably found by a manual audit of the binary. |
| 62 | + | |
| 63 | + | ## The Next Steps |
| 64 | + | |
| 65 | + | ### Variant analysis |
| 66 | + | |
| 67 | + | **Areas/approach for variant analysis (and why):** |
| 68 | + | |
| 69 | + | Several parsing functions in AppleAVD have recently became reachable when H.264 and H.265 streams are processed, including during thumbnailing of media files. This entire attack surface could use review. |
| 70 | + | |
| 71 | + | **Found variants:** None |
| 72 | + | |
| 73 | + | ### Structural improvements |
| 74 | + | |
| 75 | + | **Other potential improvements:** |
| 76 | + | |
| 77 | + | The impact of similar vulnerabilities could be reduced by removing the H.264 parameter parsing code from the kernel and running it in a lower-privileged context. |
| 78 | + | |
| 79 | + | ## Other References |
| 80 | + | |
| 81 | + | H.264 specification: https://www.itu.int/rec/T-REC-H.264 |
| 82 | + | |