Show Notes

164 - XNU's kalloc_type, Stranger Strings, and a NetBSD Bug

Fairly straightforward refcount leak bug in the coredump function of the kernel. It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path. Here, it was easy to trigger a fail case via the vn_open() call to open a vnode for the write file. By simply providing a path that your process doesn’t have permission to write to, it’ll error and leak the reference count. Since the reference count is 32-bit and just uses an atomic_inc, it’s also feasible to exploit.

Exploitation was somewhat interesting as it ultimately gives you a UAF in the kauth_cred_t zone and not the general purpose zone. However, you could overlap your cred with a more privileged cred for an easy and reliable privilege escalation.

Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account’s image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.

Exploitability of the issue is somewhat questionable, seems similar to some issues we covered last week in Microsoft Edge where you had UI interactions leading to UAF.

An integer overflow in SQLite’s sqlite3_str_vappendf, large inputs when dealing with q Q or w format specifiers (unique to SQLite’s implementation of printf used to escape quotes). In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer. Naturally this leads to a stack-based buffer overflow.

} }