Unsafe Object Deseralization in Microsoft's App Center SDK

Posted on March 7, 2023

Background

Microsoft’s Visual Studio App Center SDK for iOS and macOS provides means for client application analytics, crash reporting and update distribution. The vendor states:

Visual Studio App Center brings together multiple common services into a DevOps cloud solution. Developers use App Center to Build, Test, and Distribute applications. Once the app’s deployed, developers monitor the status and usage of the app using the Analytics and Diagnostics services.

Issue Description

During a review of a macOS application utilizing the App Center SDK, an unsafe deserialization of objects via the NSKeyedUnarchiver was identified. The internal utility function unarchiveKeyedData was found to explicitly enable the deserialization of arbitrary classes by setting the class property requiresSecureCoding to NO. Note the below excerpt from the file AppCenter/AppCenter/Internals/Util/MSACUtility.m:

+ (NSObject *)unarchiveKeyedData:(NSData *)data {
   if (!data) {
     return nil;
   }
   NSError *error;
   NSObject *unarchivedData;
   NSException *exception;
   @try {
     if (@available(iOS 11.0, macOS 10.13, watchOS 4.0, *)) {
       NSKeyedUnarchiver *unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:data error:&error];
       for (NSString *key in targetClasses) {
         [unarchiver setClass:targetClasses[key] forClassName:key];
       }
       unarchiver.requiresSecureCoding = NO;
       unarchivedData = [unarchiver decodeTopLevelObjectForKey:NSKeyedArchiveRootObjectKey error:&error];
     } else {

The functionality was found to be used inter alia for obtaining log entries from a SQLite database, as implemented inside AppCenter/AppCenter/Internals/Storage/MSACLogDBStorage.m. As part of the application’s local storage, a directory named com.microsoft.appcenter could be identified, which contains the respective database file.

Its entries include the base64 encoded output of NSKeyedArchiver, which could be substituted with malicious content. Following the approach for exploiting a similar flaw in macOS’s Saved Application State, Proof-of-Concept code could be generated. On injecting this payload in the database with the groupId value Analytics it was successfully deserialized on the next startup of the application.

Accordingly, an attacker with access to the database file can execute code in the context of the application utilizing the App Center SDK.

Fix

The issue was fixed in SDK version 5.0.1.

Credit

Jennifer Gehrke on behalf of Secfault Security GmbH

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2023 Secfault Security GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.