Shulou(Shulou.com)05/31 Report--

This article introduces you how to analyze macOS vulnerability CVE-2019-8507 in depth. The content is very detailed. Interested friends can refer to it for reference. I hope it can help you.

0x00 is written in front.

On March 25, 2019, Apple released macOS Mojave 10.14.4 and iOS 12.2. Both versions fix a number of security vulnerabilities, including CVE-2019-8507 in QuartzCore (aka CoreAnimation). For more information about Apple's updates, please refer to this announcement.

In this article, we will provide a detailed analysis of vulnerability CVE-2019-8507 in macOS.

0x01 Vulnerability Overview

QuartzCore, also known as CoreAnimation, is a graphics framework used by macOS and iOS to create animated scenes. CoreAnimation uses a unique rendering model that is graphically manipulated as a separate process. In macOS, this process is called WindowServer. In iOS, this process is called backboard.

The service named com.apple.CARenderServer in QuartzCore is often referred to as CARenderServer. This service is available on macOS and iOS and can be accessed directly from the Safari sandbox environment. However, on macOS, memory corruption (vulnerability) occurs when QuartzCore is processing graphics objects in a CA::Render::Decoder::decode_shape() function, which causes the application to terminate unexpectedly.

The following is the crash log of Windows Server processes when they encounter problems:

0x02 PoC Proof of Concept

Next, I will demonstrate how to use our PoC to trigger the vulnerability. PoC codes are as follows:

The comparison between the original Mach information and the modified Mach information is shown in the following figure:

After analyzing the binary source code, we found that only one byte of offset 0xB6 needs to be modified from 0x06 to 0x86 to trigger the vulnerability.

As the PoC code indicates, in order to send a specially crafted Mach message to trigger the vulnerability, we first need to send a Mach message with msgh_id 40202, the corresponding processor in the server is_XRegisterClient, and then obtain the link ID of each newly connected client.

Once we have the connection ID, we can set this value at offset 0x2C in the trait Mach message. Finally, we only need to send this Mach message to trigger the vulnerability.

0x03 Vulnerability Analysis

Next, we will use LLDB to dynamically debug vulnerabilities and analyze the root cause of vulnerabilities. Note: We need SSH mode to debug the WindowServer process.

By parsing the crash log, we can get the stack trace information of the crash thread and set a breakpoint at CA::Render::Server::ReceivedMessage::run_command_stream function with the following command:

The value of conn_id can be obtained by setting a breakpoint at line 86 of the PoC code.

After the breakpoint hit, we can directly read the buffer data of the special Mach message, and register r13 points to the special Mach message.

The function CA::Render::Decoder::decode_object(CA::Render::Decoder *this,CA::Render::Decoder *a2) can be used to decode object data of this type. Buffer data starting at offset 0x70000907 dd52 is a picture object (highlighted in green):

The following code snippet can be used to parse image object data in CA::Render::Decoder::decode_object function:

The following image shows the CA::Render::Image::decode() function, I added some comments to make it easier for you to see:

We can see that one byte at offset 0x7000907 dd52 has changed from 0x06 to 0x86, so variable v4 is now equal to 0x86. Next, the program jumps to LABEL_31 to execute other branches, because the variable v4 is greater than 0x20. At the end of LABEL_31, the program calls the CA::Render::Texture::decode(CA::Render::Texture *this,CA::Render::Decoder *a2) function to continue processing subsequent data.

As we can see, it calls the CA::Render::Decoder::decode_shape function to manipulate the Shape object data.

Next, let's look at how the other data sets are processed.

We can see that the variable v2 equals 0x02, which allocates an 8-byte region to the buffer. Finally, it calls the function CA::Render::Decoder::decode_bytes to decode multiple bytes of data.

The root cause of this problem is the CA::Render::Decoder::decode_shape function lacks a restrictive validation mechanism. Here's how Apple fixes this bug:

0x04 Summary

According to Apple's security bulletin, this vulnerability only affects macOS. The issue exists in QuartzCore, which due to lack of input validation restrictions triggers when QuartzCore is processing graphics objects in a CA::Render::Decoder::decode_shape() function. By comparing the patch code, we can see that Apple fixed the problem by enhancing the input verification mechanism.

0x05 Affected version macOS Mojave 10.14.2 macOS Mojave 10.14.30x06 Vulnerability Analysis Environment macOS 10.14.2 (18C54) -MacBook Pro About how to deeply analyze macOS vulnerability CVE-2019-8507 shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.