/ by Marek / ,  + .

Crashing Safari Notification Agent

While working on a new feature for a web application, I accidentally triggered a crash. But what confused me was that the second time I did it, nothing happened. And when I spotted my mistake and rectified it, still nothing happened. It took a while of trying various things before I finally spotted the crash popup hiding behind another window.

What I had managed to do was send a malformed push notification message, which had been delivered to my workstation, and had crashed the service handling the notification messages. My problem was that I had accidentally sent an integer 1 instead of the string "1" — and in so doing had triggered an uncaught exception.

Dear Apple Security Team,

<p>It is possible for a malicious push notification to cause SafariNotificationAgent to exit due to an uncaught exception:</p>

<blockquote class="danger mini">Application Specific Information:<br />
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSCFNumber length]: unrecognized selector sent to instance 0x29a37'<br />
terminating with uncaught exception of type NSException<br />
abort() called</blockquote>

<p>This causes a denial of service for web push notifications (until the user closes the CrashReporter, possibly longer).</p>

<p>It's a fairly simple trick to pull off:</p>

<li>create the APN ZIP file, with a valid urlFormatString that accepts at least one parameter</li>

<li>push a message with an integer in url-args, such as this piece of JSON:<br />

<li>SafariNotificationAgent dies from not catching an exception</li>

It was a few weeks before my email to the Apple product security team acknowledged the bug. Though this was a fairly low-risk vulnerability (remote denial of service, only possible by a previously trusted endpoint), I was pleasantly surprised with how seriously they treated the report. The email back from product security asked to whom the security advisory should be attributed.

That’s my story of how CVE-2014-4417 was discovered, and how Faelix ended up credited on Apple Notice HT203112.