Vulnerabilites

Vulnerabilities¶

String Handling¶

These functions will not add a null byte if the data is larger than the buffer.
Look for strcat, strcpy, strncpy, sprintg, vsprintf, gets.

Do not use the return value of snprintf and vsnprintf the length returned by these functions is the length that would have been printed if n were infinite. For this reason, you must not use this return value to determine where to null-terminate the string or to determine how many bytes to copy from the string at a later time.

With fgets you must always pass a size value that is one fewer than the size of the buffer to leave room for the null termination. If you do not, the fgets function will dutifully terminate the string past the end of your buffer.

Format String Attacks¶

C Functions
- printf
- sscanf
- syslog
- vsyslog
Carbon Functions
- AEBuildDesc
- vAEBuildDesc
- AEBuildParameters
- vAEBuildParameters
- AEBuildAppleEvent
- vAEBuildAppleEvent
Core Foundation Functions
- CFStringCreateWithFormat
- CFStringCreateWithFormatAndArguments
- CFStringAppendFormat
- CFStringAppendFormatAndArguments
Coca Functions
- [NSString stringWithFormat:
- [NSString initWithFormat:
- and other NSString functions
- [NSMutableString appendFormat:]
- [NSAlert alertWithMessageText:defaultButton:alternateButton:otherButton:informativeTextWithFormat:]
- [NSPredicate predicateWithFormat:]
- [NSPredicate predicateWithFormat:arguments:
- [NSPredicate predicateWithFormat:argumentArray:]
- [NSException raise:format:]
- [NSException raise:format:arguments:]
- NSRunAlertPanel and other Application Kit functions that create or return panels or sheets

Vulnerable Example:

/* receiving http packet */
int size = recv(fd, pktBuf, sizeof(pktBuf), 0);
if (size) {
	syslog(LOG_INFO, "Received new HTTP request!");
	syslog(LOG_INFO, pktBuf);
	//Syslog takes many parameters
	//"AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%n"
}

Vulnerable Double Formated String:

alert = [NSAlert alertWithMessageText:"Certificate Import Succeeded"
	defaultButton:"OK"
	alternateButton:nil
	otherButton:nil
	informativeTextWithFormat:[NSString stringWithFormat: /* BAD! BAD! BAD! */
		@"The imported certificate \"%@\" has been selected in the certificate pop-up.",
	[selectedCert identifier]]];
[alert setAlertStyle:NSInformationalAlertStyle];
[alert runModal];

Fixed Double Formated String:

alert = [NSAlert alertWithMessageText:"Certificate Import Succeeded"
	defaultButton:"OK"
	alternateButton:nil
	otherButton:nil
	informativeTextWithFormat:@"The imported certificate \"%@\" has been selected in the certificate pop-up.",
	[selectedCert identifier]];

Conversion from UTF8¶

Some Languages have problems with UTF-8 upper and lower case

  >>> for i in range(1_114_112):
  ...   s = chr(i)
  ...   if len(s) != len(s.upper()): print(i, s, s.upper())
  ...
  223 ß SS
  329 ŉ ʼN
  496 ǰ J̌
  912 ΐ Ϊ́
  944 ΰ Ϋ́
  1415 և ԵՒ
  7830 ẖ H̱
    ...
  8188 ῼ ΩΙ
  64256 ﬀ FF
  64257 ﬁ FI
    ...
  64279 ﬗ ՄԽ

Integer Overflows and Underflows¶

The example below is bad because most compilers will optimize out that check.

Vulnerable Example:

size_t bytes = n * m;
if (bytes < n || bytes < m) { /* BAD BAD BAD */
... /* allocate "bytes" space */
}

Good Example:

size_t bytes = n * m;
if (n > 0 && m > 0 && SIZE_MAX/n >= m) {
... /* allocate "bytes" space */
}

Buffer Underflows¶

Modifications to Archived Data¶

In Objective C serialization is common and it uses classes that may not be expected

Interprocess Communication¶

Verify Mach Messages

Time of Check time of use¶

Time difference between the check of validity and the user of the item

Temp Files¶

If a temp file is written to a public accessible directory then it is possible for an attacker to modify that data before its use.

NSTemporaryDirectory

fd = mkstemp(tmpfile); // check return for -1, which indicates an error
NSFileHandle *myhandle = [[NSFileHandle alloc] initWithFileDescriptor:fd];

Privilege Elevation¶

setuid
setreuid seteuid setgid setregid setegid

Avoid forking a privileged process