Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Type confusion in XPC service systemstatsd

  • Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
  • Notification date: 04/05/2015
  • Release date: 30/06/2015
  • Status: Fixed in OS X 10.10.4


We identified a type confusion vulnerability in XPC service systemstatsd. Briefly, the service reads an XPC object assuming it represents a dictionary, without performing any type check to support this claim. An attacker can thus provide a specially-crafted XPC object that permits to control a data or even a code pointer.

Our provided “proof-of-concept” causes an invalid read access at a controlled pointer (register %rbx, loaded with value 0x4242424242424242). This in turn leads to a general protection fault exception (EXC_I386_GPFLT), as the accessed address is non-canonical.

We are still investigating the possible implications of this vulnerability, but we believe it should be possible to craft a more elaborated exploit that eventually controls an Objective-C pointer.