New issue
Advanced search Search tips
Starred by 13 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 11
Cc:

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules

Project Member Reported by ianbeer@google.com, Oct 28 Back to list

Issue description

I have previously detailed the lifetime management paradigms in MIG in the writeups for:
  CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
  CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]

If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.

If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
generated coode will drop a reference on the port.
 
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
a port with the same callback function.
 
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
MIG generated code which will drop a futher reference on the wake_port when only one was taken.

This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
 
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
Tested on MacOS 10.13 (17A365) on MacBookAir5,2

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
iosurface_uaf_ios.zip
32.3 KB Download
Project Member

Comment 1 by ianbeer@google.com, Oct 28

Labels: Id-676732646 Reported-2017-Oct-30
Project Member

Comment 2 by ianbeer@google.com, Dec 11

Labels: Fixed-2017-Dec-02 CVE-2017-13861
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT208334
Project Member

Comment 3 by ianbeer@google.com, Dec 11

async_wake exploit attached.

Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.

See the README and kdbg.c for details.
async_wake_ios.zip
306 KB Download
Project Member

Comment 4 by ianbeer@google.com, Dec 11

Labels: -Restrict-View-Commit
Project Member

Comment 5 by ianbeer@google.com, Dec 11

Labels: Methodology-ManualReview
Thank you for the Jailbreak exploit! We appreciate your work
thanks for sharing =)
thank you for your research and sharing!

Comment 9 by he...@ivy.io, Dec 12

when it has been ran what do i do after that? if anything?
as always Nice work! pretty impressed.
You’re brilliant Ian, always sharing your knowledge to the community . Thank u so much.
I am wondering how all this works is this purposed towards jailbreaking or just security problems with iOS 
Hello,I am working for the exploit of 10.3.3,but it seems this kernel version doesn't has the |kevent_id| syscall.So do you have any replace method for ensure |kevent_proc_copy_uptrs| return a large number to leak the kernel address.  Thanks!!
as you can see the exploit?

Project Member

Comment 15 by ianbeer@google.com, Dec 12

Labels: Restrict-AddIssueComment-EditIssue

Sign in to add a comment