23 January 2018 / /
Crashing Safari Notification Agent
While working on a new feature for a web application, I accidentally triggered a crash. But what confused me was that the second time I did it, nothing happened. And when I spotted my mistake and rectified it, still nothing happened. It took a while of trying various things before I finally spotted the crash popup hiding behind another window.
What I had managed to do was send a malformed push notification message, which had been delivered to my workstation, and had crashed the service handling the notification messages. My problem was that I had accidentally sent an integer
1 instead of the string
"1" — and in so doing had triggered an uncaught exception.
Dear Apple Security Team,
It is possible for a malicious push notification to cause SafariNotificationAgent to exit due to an uncaught exception:Application Specific Information:
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSCFNumber length]: unrecognized selector sent to instance 0x29a37'
terminating with uncaught exception of type NSException
This causes a denial of service for web push notifications (until the user closes the CrashReporter, possibly longer).
It's a fairly simple trick to pull off:
- create the APN ZIP file, with a valid urlFormatString that accepts at least one parameter
- push a message with an integer in url-args, such as this piece of JSON:
- SafariNotificationAgent dies from not catching an exception
It was a few weeks before my email to the Apple product security team acknowledged the bug. Though this was a fairly low-risk vulnerability (remote denial of service, only possible by a previously trusted endpoint), I was pleasantly surprised with how seriously they treated the report. The email back from product security asked to whom the security advisory should be attributed.