Posts

CVE-2022-42864 - Diabolical Cookies

iOS 16.2 and macOS Ventura 13.1 released just over a month ago, fixing an interesting vulnerability that I reported in IOHIDFamily. I would like to share the details of that vulnerability today. The Bug Apple's comment from the source code when this issue was fixed sums this up nicely: // Find the number of cookies in the data. The data from elementData is shared with user space and may change at any time. Let us have a look at the function before the patch (I have tried to label relevant lines): IOReturn IOHIDDevice :: postElementTransaction( const void * elementData, UInt32 dataSize, UInt32 completionTimeout, IOHIDCompletion * completion) { IOReturn ret = kIOReturnError; uint32_t cookies_[kMaxLocalCookieArrayLength]; uint32_t * cookies = cookies_; uint32_t cookieCount = 0 ; uint32_t cookieSize = 0 ; uint32_t dataOffset = 0 ;...

CVE-2020-9964 - An iOS infoleak

iOS 14 is now available to the public, and with it comes the iOS 14.0 security content update . One of the vulnerabilities you'll see listed is CVE-2020-9964, a vulnerability in IOSurfaceAccelerator, and my first infoleak :) Both myself (@Muirey03) and Mohamed Ghannam (@_simo36) are credited with the discovery of this vulnerability. I would not be at all surprised if I found out there were more people who knew about this. Apple describes the impact of this bug as "A local user may be able to read kernel memory" and refer to it as a "memory initialisation issue" in the description, so what is the bug? IOSurfaceAcceleratorClient::user_get_histogram IOSurfaceAcceleratorClient is the user client for the AppleM2ScalerCSCDriver IOService, and is one of the few user clients that can be opened from within the App Sandbox. We are interested in one particular external method on this user client, method 9, IOSurfaceAcceleratorClient::user_get_histogram . IOSurfaceAccelera...