[1] NetworkProcess IPC File-Read Sandbox Bypass via Unvalidated replacementPath
Severity: High | Component: WebKit Network Process | c2a306a
Rated High because the observable effect is arbitrary file read from web content via a pure logic bug in IPC validation — no memory corruption required — and the test case demonstrates a complete end-to-end exploit chain with confidence 0.95, bypassing the WebContent process sandbox's file access restrictions through the Network process.
Patch Details
The patch adds validation of the replacementPath parameter in NetworkConnectionToWebProcess::registerInternalFileBlobURL. Before the fix, only the path parameter was checked against the allowed-path list via isFilePathAllowed(). The replacementPath — used for transcoded files — passed through unchecked. The fix adds two validation paths on Cocoa platforms: if a sandbox extension is provided, it calls sandbox_check() on the remote WebProcess PID to verify actual sandbox-level file-read-data access; if no sandbox extension is provided, it falls back to the existing isFilePathAllowed() check. Non-Cocoa platforms always use the allowlist check.
Before: After:
registerInternalFileBlobURL() registerInternalFileBlobURL()
└─► check path ──► check replacementPath? NO └─► check path
└─► register blob └─► check replacementPath
├─ sandbox ext? ──► sandbox_check(PID)
└─ no ext? ──► isFilePathAllowed()
└─► register blob
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
if (blobFileAccessEnforcementEnabled() && shouldCheckBlobFileAccess())
MESSAGE_CHECK(isFilePathAllowed(*session, path));
+ RefPtr sandboxExtension = SandboxExtension::create(WTF::move(extensionHandle));
+
+ if (!replacementPath.isEmpty()) {
+#if PLATFORM(COCOA)
+ // For transcoded files, check if the WebProcess has actual sandbox access
+ // via the extension granted for the original file, rather than checking
+ // our internal allowed paths list (which won't include temporary transcoded files).
+ if (sandboxExtension) {
+ // sandbox_check returns 0 on success (has access), non-zero on failure
+ if (sandbox_check(m_connection->remoteProcessID(), "file-read-data", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_PATH | SANDBOX_CHECK_NO_REPORT), FileSystem::fileSystemRepresentation(replacementPath).data())) {
+ CONNECTION_RELEASE_LOG_ERROR(Sandbox, "registerInternalFileBlobURL: WebProcess does not have sandbox access to replacementPath");
+ MESSAGE_CHECK(false);
+ }
+ } else // No sandbox extension provided, fall back to path allowlist check
+ MESSAGE_CHECK(isFilePathAllowed(*session, replacementPath));
+#else
+ MESSAGE_CHECK(isFilePathAllowed(*session, replacementPath));
+#endif
+ }
+
m_blobURLs.add({ url, std::nullopt });
- session->blobRegistry().registerInternalFileBlobURL(url, BlobDataFileReferenceWithSandboxExtension::create(path, replacementPath, SandboxExtension::create(WTF::move(extensionHandle))), contentType);
+ session->blobRegistry().registerInternalFileBlobURL(url, BlobDataFileReferenceWithSandboxExtension::create(path, replacementPath, WTF::move(sandboxExtension)), contentType);
LayoutTests/http/tests/security/registerBlobURL.html
+ connection.sendMessage(
+ 0,
+ IPC.messages.NetworkConnectionToWebProcess_RegisterInternalFileBlobURL.name,
+ [
+ {type: 'URL', value: 'blob:blobinternal:///b7701c13-a454-4b76-a3b1-e3e57d972c5d'},
+ {type: 'String', value: rootPath},
+ {type: 'String', value: '/private/var/db/com.apple.networkextension.tracker-info'},
+ {type: 'uint8_t', value: 0},
+ {type: 'String', value: 'text/html'}
+ ]
+ );
Missing IPC parameter validation on an alternate file path that bypasses the primary path's access control check.
Background
WebKit's multi-process architecture splits web content rendering (WebContent process) from network operations (Network process). The WebContent process communicates with the Network process via IPC messages, and the Network process enforces file access policy when the WebContent process registers file-backed blob URLs. The registerInternalFileBlobURL IPC message accepts both a path (the original file) and a replacementPath (used when a file has been transcoded to a different format — for instance, converting a HEIC image to JPEG for web consumption). When replacementPath is non-empty, the blob registry reads content from replacementPath instead of path. MESSAGE_CHECK is WebKit's IPC validation macro — when the check fails, the Network process terminates the offending WebContent process connection. isFilePathAllowed() validates a path against an internal allowlist of files the WebContent process is authorized to reference.
Analysis
The registerInternalFileBlobURL IPC handler validated the path parameter against an allowed-paths list but did not validate replacementPath. The replacementPath parameter exists for transcoded files — when a file is transcoded, the original path is validated but the actual file content is read from replacementPath (as strongly implied by the parameter names, the fix pattern, and the working test case). A compromised or malicious WebContent process could craft an IPC message with a legitimate path (passing the allowlist check) but set replacementPath to an arbitrary file on disk. The blob registry would then serve the contents of the attacker-chosen replacement file when the blob URL was fetched.
The test case demonstrates a complete end-to-end exploit: it obtains a valid filesystem root path via FileSystemGetDirectory/GetFile, uses it as the path parameter, sets replacementPath to /private/var/db/com.apple.networkextension.tracker-info, registers the blob chain, and reads the file via fetch(blobURL). No memory corruption is needed — this is a pure logic bug in IPC validation.
Aaa Aaaaaaa Aaaa Aa Aaaaaaaaaaaaaaaa a Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaa Aaa Aaaa Aaa Aaaaaaa Aaa Aaaaaaa Aaaaa a Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaa a Aaaaa Aaaaaa Aaaa Aaaaaa Aaa Aaaaaaaaa Aaaaa Aaa a Aaaaaaaaaaaaaaaaa Aaaaaaaa Aa Aaa Aaaa Aaa Aaaaaaa Aaaaaaa Aaa Aaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaa a Aaaaaa Aaaa Aaa Aaaaaaaaaaa Aaa Aaaaaaaa Aaaaa Aaa Aaaaaaa Aa Aaa Aaaaaaaaaa Aa Aaaa Aaa Aaaa Aaaaaaaaa Aaa Aaaaaaa Aaaaaaaa Aaaaa Aaaaaaaa Aaaaa a Aaaa Aaaaaaaaaaa Aaaaaaa Aaaa Aaa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaa Aaaaa Aaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaa a Aaaaaa Aaaa Aaaaaaaaaaa a Aaaaaaa Aaaaaaa Aaaaaa Aaa Aaaa Aaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaa Aaa Aaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aa Aaaa Aaaaaaaaa Aaaaa Aaaaaaaaaa Aa Aaa Aaaaaaa Aaaaaaa a a Aaaaaaa Aaaaaa Aaa Aaaa Aaaaaa Aa Aaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aa Aaaaaaaa Aaa Aaaaaaa Aaaa Aaa Aaaa Aaaaaaaaaaa
Aaaa Aaa Aaaaaaaaaaa a Aaaaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaa Aaaaaaa Aaaaaaaa Aaaaa Aa Aaaaaaaaaaa Aaaa Aaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaa Aaaaaaaaa Aaaa Aa Aaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaa Aaaaaaaaa Aaa Aaaaaaaaa Aaaaaaa Aa Aaa Aaa Aaaaaaa Aaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa a a Aaaaaaaaa Aaaa Aaa Aa Aaaa Aaaa Aaaaaaaaaaa Aaaaaa a Aaa Aaaaaaaaaaa Aaa Aaa Aa Aaaa Aaaaaaaaaa Aaa Aaa Aaaa Aaaaaaaaaa Aaaaaaaa Aa Aaaaaa Aaaaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaaaa Aaaaaa Aaaaaaa Aaaaaaa Aaaa a Aaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaa Aaaa Aaaaaaa Aaaaaa Aa Aa Aaaaaaaa Aaaaaaaaaa
Aaaaaaaaa Aaa Aaaa Aaaaaaaaaa a Aaaa Aaa Aaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aaaa Aa Aa Aaaaaaaaa a Aa Aaaaaaaa Aaaaaaa Aa Aaa Aaaaaaaaa Aaaaa Aaa Aaa Aaaaaaa Aaaa Aaaa Aaa Aaa Aaaaaa Aaaa Aaaaaaaa Aaaa Aaaaa Aa Aaa Aaaaa Aa Aaa Aaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaaaaaaaaaaa Aa Aaa Aaaa Aa Aaaaaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaa
🔒Explores the IPC trust boundary between WebContent and Network processes, with a detailed walkthrough of how the validation gap enables filesystem access escalation
Subscribe to read more
Audit directions
a Aaaaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaa Aaaa Aaaaa Aaaaa Aaaa Aaa Aaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaa Aaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaa Aaaaa Aaaaaaaaa Aaaaaaaaa Aa Aaa Aaaa Aaa Aaaaaaa Aa Aaaaaaa a Aaa Aaaa Aaa Aaaaa Aaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaa Aa Aaaa Aaa Aaaaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaa Aaaa Aaa Aaa Aaaaaaa Aaaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaaa Aaaaa Aaa Aaa Aaa Aaaaaaaaaa
a Aaaaaa Aaa Aaaaaaaaaaaa Aaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaa Aaaa Aaaaa a Aaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaa Aaaaa Aaaaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aa Aaaaaa Aa Aaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaa
a Aaaaaaa Aaa Aaaaaaaa Aa Aaa Aaaaaaa Aaaaaaa Aaaa Aaaaa Aaaaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaa Aaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaa Aaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaa Aa Aaa Aaa Aaaaaaaaa Aaaa Aaaaaaaaaa Aaaaa Aaaa Aa Aaaaaaaaaaaa Aa a Aaaaaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaaa Aaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaaa Aaaaa Aaa Aaaaaaa Aaaaa
🔒Multiple audit patterns identified for IPC parameter validation gaps across Network process message handlers, with concrete search targets
Subscribe to read more