Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability

Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability

iPhone

Adam Donenfeld, a researcher with mobile security firm Zimperium, has published today proof-of-concept code for zIVA — a kernel exploit that affects iOS 10.3.1 and previous versions.

The zIVA exploit code allows an attacker to gain arbitrary RW (Read Write) and root access.

Apple patched flaws back in May

Apple has addressed the eight vulnerabilities at the heart of this exploit package in a security patch it released in May. One affects the IOSurface kernel extension and seven others affect the AppleAVE Driver kernel extension.

Even if Apple issued security patches, they asked Donenfeld to delay the exploit code’s publication to give users more time to upgrade their devices.

Explaining the reasons for his research, Donenfeld said he “tried to investigate an area of the kernel that wasn’t thoroughly researched before.” His research eventually led him to AppleAVE.

“AppleAVE was written neglecting basic security fundamentals, to the extent that the vulnerabilities described below were sufficient to pwn the kernel and gain arbitrary RW and root,” he said.

Exploit code available on GitHub

Donenfeld is set to give a talk on the eight vulnerabilities tomorrow at the Hack In The Box – Singapore security conference.

Donenfeld works for Zimperium, the same company that discovered the notorious Stagefright vulnerability in the Android OS.

Back in February 2017, Zimperium announced a program called N-Days through which the company offered to buy “used” zero-days that stopped working, and prevent their public disclosure before patches were made available.

The zIVA proof-of-concept exploit code is available for download from GitHub. The table below describes the eight vulnerabilities Donenfeld reported to Apple earlier this year.

CVE-ID Component Impact Summary
CVE-2017-6979 IOSurface.kext Elevation of Privileges A race condition
vulnerability inside IOSurface.kext driver; enables an attacker
to bypass sanity checks, for the creation of an IOSurface object.
CVE-2017-6989 AppleAVE.kext Information Disclosure A vulnerability in the
AppleAVE.kext kernel extension; enables an attacker to drop the
refcount of any IOSurface object in the kernel.
CVE-2017-6994 AppleAVE.kext Elevation of Privileges An information disclosure
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to leak the kernel address of any IOSurface object in the
system.
CVE-2017-6995 AppleAVE.kext Information
Disclosure/DoS/EoP
A type confusion
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to send an arbitrary kernel pointer which will be used by
the kernel as a pointer to a valid IOSurface object.
CVE-2017-6996 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can free any
memory block of size 0x28.
CVE-2017-6997 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can free any
pointer of size 0x28.
CVE-2017-6998 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can hijack
kernel code execution due to a type confusion
CVE-2017-6999 AppleAVE.kext Information
Disclosure/DoS/EoP
A user-controlled pointer is
zeroed.

Leave a Reply