Advertisement






launchd Heap Corruption

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022070013

Below is a copy:

launchd Heap Corruption
launchd heap corruption due to incorrect rounding in launch_data_unpack

(see issue 12 for background on launchd and launch_data_unpack)

liblaunch.c:
launch_data_unpack:
...
  case LAUNCH_DATA_STRING:
    tmpcnt = big2wire(r->string_len);
    if ((data_size - *data_offset) < (tmpcnt + 1)) {
      errno = EAGAIN;
      return NULL;
    }
    r->string = data + *data_offset;
    r->string_len = tmpcnt;
    *data_offset += ROUND_TO_64BIT_WORD_SIZE(tmpcnt + 1);
    break;
  case LAUNCH_DATA_OPAQUE:
    tmpcnt = big2wire(r->opaque_size);
    if ((data_size - *data_offset) < tmpcnt) {
      errno = EAGAIN;
      return NULL;
    }
    r->opaque = data + *data_offset;
    r->opaque_size = tmpcnt;
    *data_offset += ROUND_TO_64BIT_WORD_SIZE(tmpcnt);
    break;
...

Both these cases check that there is enough space remaining in the buffer for the given payload size. However, they both then round up the given size to the nearest 8 bytes.
This rounding can cause data_offset to become larger than data_size if the data_size was not a multiple of 8 bytes. This causes (data_size - *data_offset) to underflow, meaning
that the code will continue to read and deserialize _launch_data structures off the end of the data buffer.

Related CVE Numbers: CVE-2014-1359.



Found by: Ian Beer

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.