New issue
Advanced search Search tips

Issue 1417 link

Starred by 14 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2017
Cc:

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules

Project Member Reported by ianbeer@google.com, Oct 28 2017

Issue description

I have previously detailed the lifetime management paradigms in MIG in the writeups for:
  CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
  CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]

If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.

If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
generated coode will drop a reference on the port.
 
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
a port with the same callback function.
 
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
MIG generated code which will drop a futher reference on the wake_port when only one was taken.

This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
 
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
Tested on MacOS 10.13 (17A365) on MacBookAir5,2

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
iosurface_uaf_ios.zip
32.3 KB Download
Project Member

Comment 1 by ianbeer@google.com, Oct 28 2017

Labels: Id-676732646 Reported-2017-Oct-30
Project Member

Comment 2 by ianbeer@google.com, Dec 11 2017

Labels: Fixed-2017-Dec-02 CVE-2017-13861
Status: Fixed (was: New)
Apple advisory: https://support.apple.com/en-us/HT208334
Project Member

Comment 3 by ianbeer@google.com, Dec 11 2017

async_wake exploit attached.

Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.

See the README and kdbg.c for details.
async_wake_ios.zip
306 KB Download
Project Member

Comment 4 by ianbeer@google.com, Dec 11 2017

Labels: -Restrict-View-Commit
Project Member

Comment 5 by ianbeer@google.com, Dec 11 2017

Labels: Methodology-ManualReview
Thank you for the Jailbreak exploit! We appreciate your work
thanks for sharing =)

Comment 8 by m...@idickyt.com, Dec 11 2017

thank you for your research and sharing!

Comment 9 by he...@ivy.io, Dec 12 2017

when it has been ran what do i do after that? if anything?
as always Nice work! pretty impressed.
You’re brilliant Ian, always sharing your knowledge to the community . Thank u so much.
I am wondering how all this works is this purposed towards jailbreaking or just security problems with iOS 
Hello,I am working for the exploit of 10.3.3,but it seems this kernel version doesn't has the |kevent_id| syscall.So do you have any replace method for ensure |kevent_proc_copy_uptrs| return a large number to leak the kernel address.  Thanks!!
as you can see the exploit?

Project Member

Comment 15 by ianbeer@google.com, Dec 12 2017

Labels: Restrict-AddIssueComment-EditIssue
Project Member

Comment 16 by ianbeer@google.com, Jun 29

Slides from my MOSEC 2018 talk about building a kernel debugger which was bootstrapped using this exploit.
build_your_own_iOS_kernel_debugger.pdf
593 KB Download
Project Member

Comment 17 by ianbeer@google.com, Jul 24

Updated version of the PoC kernel debugger with KDP support.

Please read all of README_KDP before using this.
async_wake_ios_with_kdp.zip
213 KB Download

Sign in to add a comment