What is window server mac os x
Internally, the WindowServer HotKey objects are maintained as a linked list. Through the use of heap spraying, the partially corrupted pointer may now point into attacker controlled data:. After some whiteboarding, we established what we thought would be a viable but convoluted path towards achieving code execution in time for Pwn2Own. The exploit would require multiple heap sprays, risky cross-chunk heap corruption, and an extremely precise bitflip.
The first major phase of our sandbox escape was solely responsible for leaking information about the layout of the WindowServer heap. While this was not strictly necessary, using a leaked heap pointer provided some situational awareness to improve the speed and reliability of our exploit. By searching the contents of each string, our exploit will eventually discover the corrupted property containing the leaked pointer:. Using the vulnerability plus a heap spray during phase one to leak a heap pointer. With some knowledge of the heap layout and its deterministic growth, we could move on to performing some more nefarious memory corruption with our vulnerability.
The goal for phase two of the exploit was to partially corrupt a WindowServer HotKey pointer such that we could point it somewhere within heap data that we could arbitrarily control.
Subscribe to RSS
This would require a sequence of carefully choreographed heap manipulations, followed by a risky stab at cross-chunk corruption to create a dangling HotKey pointer. The spray size is computed to cover the address we expect the dangling HotKey pointer to land within. This was based on the assumption that we would allocate corruptable HotKey objects half way through this spray. The leaked heap pointer helped us to predict when to allocate objects in phase two. Just like phase one, phase two sprays mostly NULL connection property strings.
Halfway through this spray, our exploit will stop to inspect the heap in an attempt to identify property strings that are allocated directly adjacent to each other. It was critical to locate adjacent value allocations eg, no key string between them , because this is the boundary which we will perform our cross-chunk corruption over. After freeing a few carefully chosen NULL string chunks, our exploit would immediately begin creating HotKey objects, hoping to fill in one or more of the holes we punched:.
If performed correctly, the heap should now have a HotKey object placed directly after our chosen connection property allocation. The annotated lldb dump below shows the threshold between these two allocations, which are now ready for our cross-chunk corruption. Before performing the cross-chunk corruption to create a dangling HotKey pointer, our exploit will complete the second half of the phase two NULL string spray.
This ensures that the address that we predict the dangling pointer will point at once corrupted is a valid heap address.
Through the use of a partial overwrite, we have forced the creation of a dangling HotKey pointer. Though long and arduous, we are almost done with phase two. The WindowServer heap now looks something like this:. Eventually, the exploit would locate the string containing a single flipped bit.