Type confusion in XPC service systemstatsd
- Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
- Notification date: 04/05/2015
- Release date: 30/06/2015
- Status: Fixed in OS X 10.10.4
We identified a type confusion vulnerability in XPC service
systemstatsd. Briefly, the service reads an XPC object assuming it represents
a dictionary, without performing any type check to support this claim. An
attacker can thus provide a specially-crafted XPC object that permits to
control a data or even a code pointer.
Our provided “proof-of-concept” causes an invalid read access at a controlled
%rbx, loaded with value
0x4242424242424242). This in turn
leads to a general protection fault exception (
EXC_I386_GPFLT), as the
accessed address is non-canonical.
We are still investigating the possible implications of this vulnerability, but we believe it should be possible to craft a more elaborated exploit that eventually controls an Objective-C pointer.