Link to this headingVulnerabilities

Link to this headingString Handling

These functions will not add a null byte if the data is larger than the buffer.
Look for strcat, strcpy, strncpy, sprintf, vsprintf, gets.

Do not use the return value of snprintf and vsnprintf the length returned by these functions is the length that would have been printed if n were infinite. For this reason, you must not use this return value to determine where to null-terminate the string or to determine how many bytes to copy from the string at a later time.

With fgets you must always pass a size value that is one fewer than the size of the buffer to leave room for the null termination. If you do not, the fgets function will dutifully terminate the string past the end of your buffer.

Link to this headingFormat String Attacks

  • C Functions
    • printf
    • sscanf
    • syslog
    • vsyslog
  • Carbon Functions
    • AEBuildDesc
    • vAEBuildDesc
    • AEBuildParameters
    • vAEBuildParameters
    • AEBuildAppleEvent
    • vAEBuildAppleEvent
  • Core Foundation Functions
    • CFStringCreateWithFormat
    • CFStringCreateWithFormatAndArguments
    • CFStringAppendFormat
    • CFStringAppendFormatAndArguments
  • Cocoa Functions
    • [NSString stringWithFormat:
    • [NSString initWithFormat:
    • and other NSString functions
    • [NSMutableString appendFormat:]
    • [NSAlert alertWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:]
    • [NSPredicate predicateWithFormat:]
    • [NSPredicate predicateWithFormat:arguments:
    • [NSPredicate predicateWithFormat:argumentArray:]
    • [NSException raise:format:]
    • [NSException raise:format:arguments:]
    • NSRunAlertPanel and other Application Kit functions that create or return panels or sheets

Vulnerable Example:

/* receiving http packet */ int size = recv(fd, pktBuf, sizeof(pktBuf), 0); if (size) { syslog(LOG_INFO, "Received new HTTP request!"); syslog(LOG_INFO, pktBuf); //Syslog takes many parameters //"AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%n" }

Vulnerable Double Formatted String:

alert = [NSAlert alertWithMessageText:"Certificate Import Succeeded" defaultButton:"OK" alternateButton:nil otherButton:nil informativeTextWithFormat:[NSString stringWithFormat: /* BAD! BAD! BAD! */ @"The imported certificate \"%@\" has been selected in the certificate pop-up.", [selectedCert identifier]]]; [alert setAlertStyle:NSInformationalAlertStyle]; [alert runModal];

Fixed Double Formatted String:

alert = [NSAlert alertWithMessageText:"Certificate Import Succeeded" defaultButton:"OK" alternateButton:nil otherButton:nil informativeTextWithFormat:@"The imported certificate \"%@\" has been selected in the certificate pop-up.", [selectedCert identifier]];

Link to this headingConversion from UTF-8

Some Languages have problems with UTF-8 upper and lower case

>>> for i in range(1_114_112): ... s = chr(i) ... if len(s) != len(s.upper()): print(i, s, s.upper()) ... 223 ß SS 329 ʼn ʼN 496 ǰ912 ΐ Ϊ́ 944 ΰ Ϋ́ 1415 և ԵՒ 7830 ... 8188 ΩΙ 64256 FF 64257 FI ... 64279 ՄԽ

Link to this headingBuffer Underflows

Link to this headingModifications to Archived Data

In Objective-C serialization is common and it uses classes that may not be expected

Link to this headingInterprocess Communication

Verify Mach Messages

Link to this headingTime of Check Time of Use

Time difference between the check of validity and the use of the item

Link to this headingTemp Files

If a temp file is written to a publicly accessible directory then it is possible for an attacker to modify that data before its use.

  • NSTemporaryDirectory
fd = mkstemp(tmpfile); // check return for -1, which indicates an error NSFileHandle *myhandle = [[NSFileHandle alloc] initWithFileDescriptor:fd];

Link to this headingPrivilege Elevation

  • setuid
  • setreuid seteuid setgid setregid setegid

Avoid forking a privileged process