New issue
Advanced search Search tips
Starred by 14 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2017
Cc:

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 1417: iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules

Reported by ianbeer@google.com, Oct 28 2017 Project Member

Issue description

I have previously detailed the lifetime management paradigms in MIG in the writeups for:
  CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
  CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]

If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.

If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
generated coode will drop a reference on the port.
 
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
a port with the same callback function.
 
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
MIG generated code which will drop a futher reference on the wake_port when only one was taken.

This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
 
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
Tested on MacOS 10.13 (17A365) on MacBookAir5,2

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
 
iosurface_uaf_ios.zip
32.3 KB Download

Comment 1 by ianbeer@google.com, Oct 28 2017

Project Member
Labels: Id-676732646 Reported-2017-Oct-30

Comment 2 by ianbeer@google.com, Dec 11 2017

Project Member
Labels: Fixed-2017-Dec-02 CVE-2017-13861
Status: Fixed (was: New)
Apple advisory: https://support.apple.com/en-us/HT208334

Comment 3 by ianbeer@google.com, Dec 11 2017

Project Member
async_wake exploit attached.

Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.

See the README and kdbg.c for details.
async_wake_ios.zip
306 KB Download

Comment 4 by ianbeer@google.com, Dec 11 2017

Project Member
Labels: -Restrict-View-Commit

Comment 5 by ianbeer@google.com, Dec 11 2017

Project Member
Labels: Methodology-ManualReview

Comment 6 by shonemyz...@gmail.com, Dec 11 2017

Thank you for the Jailbreak exploit! We appreciate your work

Comment 7 by manuelp...@gmail.com, Dec 11 2017

thanks for sharing =)

Comment 8 by m...@idickyt.com, Dec 11 2017

thank you for your research and sharing!

Comment 9 by he...@ivy.io, Dec 12 2017

when it has been ran what do i do after that? if anything?

Comment 10 by ssujan24...@gmail.com, Dec 12 2017

as always Nice work! pretty impressed.

Comment 11 by surielor...@gmail.com, Dec 12 2017

You’re brilliant Ian, always sharing your knowledge to the community . Thank u so much.

Comment 12 by slawson...@gmail.com, Dec 12 2017

I am wondering how all this works is this purposed towards jailbreaking or just security problems with iOS

Comment 13 by soulchen...@gmail.com, Dec 12 2017

Hello,I am working for the exploit of 10.3.3,but it seems this kernel version doesn't has the |kevent_id| syscall.So do you have any replace method for ensure |kevent_proc_copy_uptrs| return a large number to leak the kernel address.  Thanks!!

Comment 14 by maikblac...@gmail.com, Dec 12 2017

as you can see the exploit?

Comment 15 by ianbeer@google.com, Dec 12 2017

Project Member
Labels: Restrict-AddIssueComment-EditIssue

Comment 16 by ianbeer@google.com, Jun 29 2018

Project Member
Slides from my MOSEC 2018 talk about building a kernel debugger which was bootstrapped using this exploit.
build_your_own_iOS_kernel_debugger.pdf
593 KB Download

Comment 17 by ianbeer@google.com, Jul 24 2018

Project Member
Updated version of the PoC kernel debugger with KDP support.

Please read all of README_KDP before using this.
async_wake_ios_with_kdp.zip
213 KB Download

Sign in to add a comment