ab6387922c
23 changes to exploits/shellcodes NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1 Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities
19 lines
No EOL
824 B
Text
19 lines
No EOL
824 B
Text
There is an info leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.
|
|
|
|
While this class is included in iMessage, it is more likely that this bug could be useful in local attacks.
|
|
|
|
To reproduce this issue:
|
|
|
|
1) Compile decodeleak.m
|
|
|
|
clang -o decodeleak -g decodeleak.m -fobjc-arc -framework CoreSuggestionsInternals -F/System/Library/PrivateFrameworks
|
|
|
|
2) Run:
|
|
|
|
./decodeleaks obj
|
|
|
|
leaked memory will be printed to the screen.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47257.zip |