New issue
Advanced search Search tips
Starred by 11 users
Status: Fixed
Owner:
Closed: Dec 11
Cc:

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules
Project Member Reported by ianbeer@google.com, Oct 28 Back to list
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
  CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
  CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]

If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.

If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
generated coode will drop a reference on the port.
 
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
a port with the same callback function.
 
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
MIG generated code which will drop a futher reference on the wake_port when only one was taken.

This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
 
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
Tested on MacOS 10.13 (17A365) on MacBookAir5,2

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
iosurface_uaf_ios.zip
32.3 KB Download
Project Member Comment 1 by ianbeer@google.com, Oct 28
Labels: Id-676732646 Reported-2017-Oct-30
Project Member Comment 2 by ianbeer@google.com, Dec 11
Labels: Fixed-2017-Dec-02 CVE-2017-13861
Status: Fixed
Apple advisory: https://support.apple.com/en-us/HT208334
Project Member Comment 3 by ianbeer@google.com, Dec 11
async_wake exploit attached.

Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.

See the README and kdbg.c for details.
async_wake_ios.zip
306 KB Download
Project Member Comment 4 by ianbeer@google.com, Dec 11
Labels: -Restrict-View-Commit
Project Member Comment 5 by ianbeer@google.com, Dec 11
Labels: Methodology-ManualReview
Thank you for the Jailbreak exploit! We appreciate your work
thanks for sharing =)
thank you for your research and sharing!
Comment 9 by he...@ivy.io, Dec 12
when it has been ran what do i do after that? if anything?
as always Nice work! pretty impressed.
You’re brilliant Ian, always sharing your knowledge to the community . Thank u so much.
I am wondering how all this works is this purposed towards jailbreaking or just security problems with iOS 
Hello,I am working for the exploit of 10.3.3,but it seems this kernel version doesn't has the |kevent_id| syscall.So do you have any replace method for ensure |kevent_proc_copy_uptrs| return a large number to leak the kernel address.  Thanks!!
as you can see the exploit?

Project Member Comment 15 by ianbeer@google.com, Dec 12
Labels: Restrict-AddIssueComment-EditIssue
Sign in to add a comment