There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing:
-> 0x7fff6bd71892 <+4492>: movl (%rcx,%rbx), %r8d
0x7fff6bd71896 <+4496>: bswapl %r8d
0x7fff6bd71899 <+4499>: movl %eax, %ecx
0x7fff6bd7189b <+4501>: shll %cl, %r8d
Target 0: (avconferenced) stopped.
(lldb) bt
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
* frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
frame #1: 0x00007fff6bd976b6 VideoProcessing`___lldb_unnamed_symbol3007$$VideoProcessing + 117
frame #2: 0x00007fff6bda4eb9 VideoProcessing`___lldb_unnamed_symbol3043$$VideoProcessing + 513
frame #3: 0x00007fff6bda4b76 VideoProcessing`___lldb_unnamed_symbol3042$$VideoProcessing + 560
frame #4: 0x00007fff6bd6b252 VideoProcessing`___lldb_unnamed_symbol2741$$VideoProcessing + 4206
frame #5: 0x00007fff53cf67f4 VideoToolbox`___lldb_unnamed_symbol79$$VideoToolbox + 1233
frame #6: 0x00007fff53cf5373 VideoToolbox`___lldb_unnamed_symbol59$$VideoToolbox + 401
frame #7: 0x00007fff6bca7381 VideoProcessing`VCPDecompressionSessionDecodeFrame + 423
frame #8: 0x000000010bb86bab AVConference`VideoPlayer_ShowFrame + 1384
frame #9: 0x000000010bb8cf98 AVConference`VideoReceiver_ShowFrame + 740
frame #10: 0x000000010bb8c5be AVConference`VideoReceiver_VideoAlarm + 720
frame #11: 0x000000010bb78933 AVConference`SoundPlayer_AlarmThread + 364
frame #12: 0x00007fff484fe98b CoreMedia`figThreadMain + 277
frame #13: 0x00007fff6f6a6661 libsystem_pthread.dylib`_pthread_body + 340
frame #14: 0x00007fff6f6a650d libsystem_pthread.dylib`_pthread_start + 377
frame #15: 0x00007fff6f6a5bf9 libsystem_pthread.dylib`thread_start + 13
I've improved the PoC a lot for this, an updated video-replay.c is attached. This version does not require the binary patch for the sender binary, other than adding the library with insert_dylib. So to use this one:
1) Build video-replay.c attached (g++ -std=c++11 -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
6) Call target with FaceTime, when they pick up, AVConference will crash
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45788.zip