OS X coreaudiod calls uninitialized function pointer

[GoogleCodeExporter]

Reporting on behalf of Mark Brand:

/usr/sbin/coreaudiod vends the com.apple.audio.coreaudiod service. As well as 
the MiG services implemented in the subsystem at off_1000DCDA0 this service 
also listens for a handful of other msgh_id's via the CFRunLoopSourceCreate 
call in sub_10007693E. This initializes a CFRunLoopSourceContext1 struct 
setting the perform callback to sub_100076ABA and mallocing a 0x28 byte buffer 
for the info struct to be passed as the fourth argument to the perform 
callback. sub_10007693E doesn't initialize all the fields of this structure, 
and if we send a mach message with msgh_id = 0x46 then the perform handler will 
call the uninitialized function pointer at offset 0x10 in this structure.

I am able to reproduce the crash without MallocPreScribble enabled, but that 
would obviously make the crash even clearer.

com.apple.audio.coreaudiod is reachable from various sandboxes including the 
Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless 
it has access to various other interesting attack surfaces which safari 
doesn't, allowing this bug to potentially form part of a full sandbox escape 
chain.

PoC tested on OS X 10.10.4 14E46.

Original issue reported on code.google.com by ianb...@google.com on 28 Jul 2015 at 12:48

Attachments:

• marks_poc_coreaudiod_min.py

[GoogleCodeExporter]

Original comment by ianb...@google.com on 28 Jul 2015 at 12:51

• Added labels: Id-626019134, Reported-2015-Jul-28

[GoogleCodeExporter]

Apple advisory: https://support.apple.com/en-us/HT205375

Original comment by ianb...@google.com on 22 Oct 2015 at 11:58

• Changed state: Fixed
• Added labels: CVE-2015-7003

[GoogleCodeExporter]

Original comment by ianb...@google.com on 22 Oct 2015 at 12:03

• Added labels: Fixed-2015-Oct-21

[GoogleCodeExporter]

Original comment by ianb...@google.com on 27 Jan 2016 at 5:11

• Removed labels: Restrict-View-Commit