The Journey of a complete OSX privilege escalation with a single vulnerability - Part 1

In previous blog posts Liang talked about the userspace privilege escalation vulnerability we found in WindowServer. Now in following articles I will talk about the Blitzard kernel bug we used in this year’s pwn2own to escape the Safari renderer sandbox, existing in the blit operation of graphics pipeline. From a exploiter’s prospective we took advantage of an vector out-of-bound access which under carefully prepared memory situations will lead to write-anywhere-but-value-restricted to achieve both infoleak and RIP control. In this article we will introduce the exploitation methods we played with mainly in kalloc.48 and kalloc.4096.

First we will first introduce the very function which the overflow occurs, what we can control and how these affect our following exploitation.

The IGVector add function

char __fastcall IGVector<rect_pair_t>::add(IGVector *this, rect_pair_t *a2)
{
v3 =;
if ( this->currentSize != this->capacity )
goto LABEL_4;
LOBYTE(v4) = IGVector<rect_pair_t>::grow(this, 2 * v3);
if ( v4 )

LABEL_4:
this->currentSize += 1;
v5 =;
*(this->storage + 32 * this->currentSize + 24) = a2->field_18; //rect2.len height
*(this->storage + 32 * this->currentSize + 16) = a2->field_10; //rect2.y x

[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Keen Security Lab Blog