Back to Blog
Macos windowserver process5/17/2023 But let’s review the last blog post, did we miss some key part? Unlike CoreGraphics, QuartzCore service is not explicitly defined in application’s sandbox.ĭoes it mean we cannot open the port of QuartzCore service? By taking traditional approach, we cannot open as it is blocked by sandbox. Compared with CoreGraphics, QuartzCore framework provides with more complex graphics operation such as animation when multiple layers are involved in the action. QuartzCore is also known as CoreAnimation. The only possible way is to leverge QuartzCore APIs which run at another thread. Also all CoreGraphics server APIs are running in a single-threaded server loop, we can not use other APIs in CoreGraphics to control the freed memory content. Since the Free and Use primitive reside in a single MIG call, it is not possible to fill in the controlled data in between two frees. Several troubles still exist before we can write the exploit code of this bug, now let’s resolve them one by one. From my last blog post “WindowServer: The privilege chameleon on macOS (Part 1)”, we discussed some basic concepts, the history and architecture of WindowServer, as well as the details of CVE-2016-1804 - A Use-After-Free (Or we can also call it double free) bug with very small time window.
0 Comments
Read More
Leave a Reply. |