{"id":794,"date":"2025-04-21T01:34:54","date_gmt":"2025-04-21T01:34:54","guid":{"rendered":"http:\/\/localhost\/?p=794"},"modified":"2025-04-21T01:34:54","modified_gmt":"2025-04-21T01:34:54","slug":"exploit-for-out-of-bounds-write-in-apple-macos","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=794","title":{"rendered":"Exploit for Out-of-bounds Write in Apple Macos"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nExploit for Out-of-bounds Write in Apple Macos<\/td>\n<\/tr>\n
Type<\/th>\ngithubexploit<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-21T05:38:06<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-21T06:03:58<\/td>\n<\/tr>\n
CVSS Score<\/th>\n7.5 (HIGH)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nHIGH<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nREQUIRED<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-31200<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nexploit<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n Trying to understand the CoreAudio patch (CVE-2025-31200) in [iOS 18.4.1](https:\/\/support.apple.com\/en-us\/122282).<\/p>\n

I haven’t figure it out yet.<\/p>\n

Currently, I get different error messages when decoding `output.mp4` on macOS 15.4.1:<\/p>\n

“`
\nerror\t01:10:26.743480-0400\tgetaudiolength\t:548 Invalid mRemappingArray bitstream in hoa::CodecConfig::Deserialize()
\nerror\t01:10:26.743499-0400\tgetaudiolength\t:860 Error in deserializing ASC components
\n“`<\/p>\n

vs Xcode Simulator for visionOS 2.2:<\/p>\n

“`
\nerror\t01:09:21.841805-0400\tVisionOSEvaluation\t APACProfile.cpp:424 ERROR: Wrong profile index in GlobalConfig
\nerror\t01:09:21.841914-0400\tVisionOSEvaluation\t APACGlobalConfig.cpp:894 Profile and level data could not be validated
\n“`<\/p>\n

so I am hitting the new check, but I don’t know how to get it to actually overwrite something.<\/p>\n

## info on the changed function<\/p>\n

The changed function [seems](https:\/\/github.com\/blacktop\/ipsw-diffs\/blob\/main\/18_4_22E240__vs_18_4_1_22E252\/README.md) to be `apac::hoa::CodecConfig::Deserialize` in `\/System\/Library\/Frameworks\/AudioToolbox.framework\/AudioCodecs`.<\/p>\n

APAC is [Apple Positional Audio Codec](https:\/\/support.apple.com\/en-by\/guide\/immersive-video-utility\/dev4579429f0\/web#:~:text=Apple%20Positional%20Audio%20Codec)<\/p>\n

HOA is [Higher-order Ambisonics](https:\/\/en.wikipedia.org\/wiki\/Ambisonics#Higher-order_Ambisonics).<\/p>\n

If you look at a ([sample file from ffmpeg issue tracker](https:\/\/trac.ffmpeg.org\/ticket\/11480):<\/p>\n

“`
\n$ avmediainfo ~\/Downloads\/clap.MOV
\nAsset: \/Users\/zhuowei\/Downloads\/clap.MOV
\n<...>
\nTrack 3: Sound ‘soun’
\n\tEnabled: No
\n\tFormat Description 1:
\n\t\tFormat: APAC ‘apac’
\n\t\tChannel Layout: High-Order Ambisonics, ACN\/SN3D
\n\t\tSample rate: 48000.0
\n\t\tBytes per packet: 0
\n\t\tFrames per packet: 1024
\n\t\tBytes per frame: 0
\n\t\tChannels per frame: 4
\n\t\tBits per channel: 0
\n\tSystem support for decoding this track: Yes
\n\tData size: 43577 bytes
\n\tMedia time scale: 48000
\n\tDuration: 0.898 seconds
\n\tEstimated data rate: 363.142 kbit\/s
\n\tExtended language tag: und
\n\t1 segment present
\n\tIndex Media Start Media Duration Track Start Track Duration
\n\t 1 00:00:00.000 00:00:00.898 00:00:00.000 00:00:00.898
\n\tMember of alternate group 0: (2, 3)
\n“`<\/p>\n

You can convert to APAC with `afconvert -o sound440.m4a -d apac -f mp4f sound440hz.wav`.<\/p>\n

Using `bindiff` on iOS 18.4.1 vs 18.4, it seems reading the `mRemappingArray` now checks the global `AudioChannelLayout*` at offset 0x58 for the number of channels instead of the remapping `AudioChannelLayout*` at offset 0x78.<\/p>\n

The `encodeme.mm` file encodes APAC, and an LLDB script forces extra elements into `mRemappingArray` and the remapping `AudioChannelLayout`:<\/p>\n

“`
\n.\/build_encodeme.sh
\n.\/run_encodeme.sh
\n“`<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n7.5<\/td>\n<\/tr>\n
Severity<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n