CVE-2017–2499: webinspectord UCE

webinspectord is the service in charge of all operations related to the use of the ‘Web Inspector’ on iOS. It runs an XPC service known as com.apple.webinspector.

Note: All of the info I mention below is from webinspectord on iOS 10.2 IPSW. From what I’ve seen, 10.3+ has moved most of the stuff in this service to WebInspector.framework.

I originally found this vulnerability as a DoS. Here’s what I found:

Messages sent are usually created with _CFXPCCreateXPCMessageWithCFObject and when received, are decoded with _CFXPCCreateCFObjectFromXPCMessage. The issue within webinspectord is that it presumes that some keys will have a value of a certain type, such as messageName being a string. Because of this, webinspectord calls functions that are valid on a NSString object, such as isEqualToString:. If we send an integer for the key messageName, the service doesn’t handle the value, and therefore crashes.

If webinspectord crashes, Web Inspector cannot be used until the device is reconnected.

I then stumbled across this when following the code:

When I said above how messages are decoded, they are decoded within a function called [WebInspectorXPCWrapper _deserializeMessage:]. Just before the function exited, a new ClientXPCConnection is created. This would lead to [ClientConnection _dispatchMessage:] to be called. This function would get a __selector and __argument key from the XPC dictionary, and call a function based on the __selector, as long as it began with _rpc_. There wasn’t much you could do from this apart from calling some functions you shouldn’t really be able to call.

This issue was patched by removing the object creation at the end of _deserializeMessage function. According to the disassembly, Apple doesn’t seem to have patched the original DoS. But it’s probably useless :D

Disclosure Timeline:
-
January 17, 2017: Reported vulnerability to vendor
- January 18, 2017: Vendor acknowledged vulnerability
- January 24, 2017: Vendor reports that a fix is in process
- May 4, 2017: Vendor reports that a fix has been made
- May 16, 2017: Public Disclosure

Like what you read? Give George Dan a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.