Safari in Operator Side Effect Exploit

Description

This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.

Author(s)

• Yonghwi Jin <jinmoteam@gmail.com>
• Jungwon Lim <setuid0@protonmail.com>
• Insu Yun <insu@gatech.edu>
• Taesoo Kim <taesoo@gatech.edu>
• timwr