A detailed technical walkthrough of exploiting CVE-2024-54529, a type confusion vulnerability in macOS's coreaudiod daemon. The exploit chain involves heap spraying with property lists, leveraging uninitialized memory in ngne objects, process crashes and restarts to reuse freed memory, and building a ROP chain to achieve
Table of contents
The Vulnerability: A Quick RecapUnderstanding the ObjectiveInitial Exploitation Attempts and the CFString HurdleTools of the TradeForcing Out-of-Bounds Reads on the HeapA Glimmer of Hope: Uninitialized Memory in the ngne ObjectA New Exploitation StrategyHeap Feng Shui with Property ListsFreeing the DataReusing the Freed Data in an ngne ObjectLoading Into Memory on StartupUpdated Exploitation StrategyValidating the ApproachBuilding the ROP ChainDemoConclusionSort: