Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The feature in test is IOSurfaceAcceleratorClient::user_get_histogram. The reason to go after this function was that the AppleM2ScalerCSCDrive IOService is one of the few user clients can be called within the app sandbox.

When being created, the histogramBuffer is allocated but never initialized. Additionally, IOMalloc does not 0 out the previous data. After making a call to this (without directly setting the values), a bunch of garbage was displayed; which is good sign for uninitialized memory leakage.

In order to exploit this, wanted memory (addresses) need to be on the heap. Although this could be leveraged in multiple ways (KASLR bypass or Mach Port finding), all that matters is doing some grooming to put the proper data at this location (to leak).

For a POC, the author leaked a Mach Port by sending OOL port arrays (importantly, the same size as the histogram object) then freed them. Now, use the histogram feature and the leak is there! :)