While Fuzzing the Android’s installd daemon, accidentally I did a cat on the fuzzer generated APK and OS X Mavericks’s Terminal.app crashed. Shown below is the crash report.
So I thought to investigate further on this.
Register Dump
Stack Trace
Disassembly
This appears to be a possible out of bound read/write in memmove()
As per the memmove source code available here: http://www.opensource.apple.com/source/ntp/ntp-13/ntp/libntp/memmove.c
memmove() takes three parameters the destination, source and size. Here I suspect that the crash happens during a backward copy from destination to source, resulting in an underflow read. In real world this is difficult to exploit due to limited buffer space.
Crash PoC : Download
To trigger the crash, Open your OS X Mavericks Terminal and do a cat on the PoC file.
The issue was reported to Apple Product Security on 28th June 2015 and after so much follow up from both sides they finally concluded that they won’t fix it as the crash is not reproducible on OS X Yosemite. I would like to thank my friend Dhanesh Kizhakkinan for helping me with the crash analysis.