Researchers at Google Project Zero revealed a flaw in Apple’s system frameworks that enables attackers to bypass Address Space Layout Randomization (ASLR). The weakness appears in how Apple devices handle NSDictionary JSON serialization and deserialization, and it impacts both iOS and macOS platforms.
ASLR is a cornerstone defense that randomizes memory layouts to make exploits more difficult. When attackers find a reliable way to leak memory addresses, they reduce the protection ASLR provides, making further exploitation more feasible.
How the Bypass Works
Serialization triggers memory address leak
The vulnerability arises from Apple’s method +[NSDictionary dictionaryWithObjects:forKeys:count:]. When crafted improperly, JSON structures pass through NSJSONSerialization in a way that produces a leak. For instance, using duplicate keys or mismatched elements forces the parser to mishandle dictionary storage.
Instead of rejecting the input cleanly, the process returns a kernel pointer, effectively exposing an internal memory address. This information allows attackers to calculate the ASLR offset.
Proof-of-Concept and Reproducibility
Project Zero researchers built a proof-of-concept(POC) using a malformed JSON payload. When fed into the deserializer, it triggered an error that printed a valid memory address. This single leak is enough to sidestep ASLR protections.
The exploit is simple to reproduce in apps that rely on Apple’s JSON parser. Because JSON serialization is widely used, the attack surface covers more than just Safari; any app that processes untrusted JSON could be at risk.
Why This Matters for Apple Devices
Although this bug doesn’t grant attackers remote code execution on its own, it removes a key defense barrier. By bypassing ASLR, malicious actors gain leverage in chaining exploits.
ASLR works best when attackers cannot reliably determine memory layouts. Once a memory leak occurs, other bugs such as buffer overflows or type confusion flaws become significantly easier to weaponize.
This weakness therefore widens the path for privilege escalation or sandbox escapes, especially in scenarios where multiple bugs can be chained.
Apple’s Response & Current Patch Status
Apple assigned the flaw CVE-2024-23225. The company patched it in iOS 17.4, macOS Ventura 13.4, and macOS Sonoma 14.0.
After the 90 day disclosure deadline expired, Project Zero published technical details, making the vulnerability public. Apple now validates dictionary integrity during serialization to prevent malformed structures from leaking pointers.
What Needs to Change
For developers, this incident underscores the risk of blindly trusting serialization APIs. Project Zero recommends several practices:
-
Do not serialize untrusted input without validation.
-
Check that key-value pairs are balanced and unique.
-
Consider JSON schema validation before passing data into
NSJSONSerialization. -
Watch Apple’s SDK release notes for serialization-related changes.
Secure coding practices at the application level can complement Apple’s patch, reducing the risk of similar bypasses in the future.
Modern Memory Defenses Need Layering
This case highlights how even advanced mitigations like ASLR are not foolproof. Bugs in higher-level frameworks such as JSON serialization can undermine the strength of system-level defenses.
Ultimately, memory safety requires a layered approach: operating system patches, secure developer practices, and ongoing fuzzing of critical APIs. For Apple users, updating to the latest OS version remains the most effective protection.
FAQs
Q: What is ASLR and why is it important on Apple devices?
A: Address Space Layout Randomization (ASLR) randomizes memory addresses to make exploits harder. Without it, attackers can more easily predict where to inject malicious code.
Q: How does NSDictionary enable an ASLR bypass?
A: When JSON structures are malformed, Apple’s NSDictionary deserialization leaks kernel pointers. Attackers can use these leaked addresses to calculate ASLR offsets.
Q: Does this vulnerability allow remote code execution?
A: No, the flaw only leaks memory addresses. However, attackers can chain it with other bugs to achieve remote code execution.
Q: Has Apple fixed the vulnerability?
A: Yes. Apple patched it under CVE-2024-23225 in iOS 17.4, macOS Ventura 13.4, and macOS Sonoma 14.0.
2 thoughts on “Apple Devices Vulnerable to ASLR Bypass Through JSON Serialization Trick”