Google Project Zero researcher Jann Horn has disclosed a novel vulnerability in Apple’s macOS and iOS systems that could potentially allow attackers to bypass Address Space Layout Randomization (ASLR) protections through pointer leaks in serialization processes.
Vulnerability Overview
The vulnerability exploits a technique that leverages pointer-keyed data structures in Apple’s NSKeyedArchiver serialization framework to leak memory addresses without requiring memory safety violations or timing attacks.
The attack works when an application deserializes attacker-provided data, re-serializes the resulting objects, and returns the serialized data to the attacker.
The researcher discovered this issue during internal Project Zero team discussions about remote ASLR leaks that would be necessary for exploiting certain memory corruption bugs on Apple devices.
While no specific real-world attack surface was identified on macOS or iOS, Horn successfully demonstrated the technique using NSKeyedArchiver serialization in an artificial test case.
Technical Details
The attack exploits several key components of Apple’s Core Foundation framework:
NSNull Singleton Exploitation: The vulnerability leverages the CFNull singleton instance stored in the shared cache, which uses pointer addresses as hash codes when no custom hash handler is provided.
NSDictionary Hash Table Manipulation: Attackers can manipulate NSDictionary hash tables by inserting carefully chosen NSNumber keys that map to specific hash buckets, creating predictable patterns in the data structure.
Serialization Order Analysis: By analyzing the order of keys in re-serialized NSDictionary objects, attackers can determine hash bucket locations and extract information about memory addresses.
The technique involves sending approximately 50KB of specially crafted serialized data containing multiple NSDictionary instances with specific patterns of NSNumber and NSNull keys.
When the target application deserializes and re-serializes this data, the ordering of elements in the output reveals information about the NSNull singleton’s memory address.
While this vulnerability represents a theoretical attack with no demonstrated real-world impact, it showcases how pointer-based hashing in keyed data structures can lead to address leaks under specific conditions.
The technique could potentially be combined with other exploits to defeat ASLR protections, making memory corruption attacks more reliable.
The research builds upon previous work in hash collision attacks and demonstrates novel approaches to information disclosure through serialization mechanisms.
Apple addressed this vulnerability in their March 31, 2025 security releases. The most robust mitigation involves avoiding object addresses as lookup keys or implementing keyed hash functions to reduce potential address leaks to pointer equality oracles.
Project Zero reported this issue directly to Apple without filing it in their public bug tracker due to the lack of demonstrated real-world attack surfaces.
The disclosure highlights the importance of secure serialization practices and the potential security implications of pointer-based hashing mechanisms in system frameworks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
