cbcvebase.
CVE-2017-13861
published 2017-12-25

CVE-2017-13861: An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue…

PriorityP356high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
14.89%
96.3th percentile
An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOSurface" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Affected

6 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 11.211.2
appletvos< 11.211.2
appletvos
applewatchos< 4.24.2
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43320.zip
  • Monitor for repeated calls to IOSurfaceRootUserClient external method 17 (s_set_surface_notify) with the same callback function — the double-free is triggered when a second registration attempt causes releaseAsyncReference64 to drop a reference and then MIG drops a second reference on the same wake_port.
  • Detect exploitation chain where a Safari/WebKit renderer process (CVE-2018-4233) maps and executes a second-stage Mach-O containing the async_wake exploit (CVE-2017-13861) to obtain a kernel task port (TFP0) — look for unusual mach port privilege escalation from a browser child process.
  • Alert on processes overwriting kernel credential and sandbox structures, or injecting code-signature hashes into the kernel trust cache — post-exploitation indicators of a successful async_wake / TFP0 privilege escalation.
  • The vulnerability is reachable from within the iOS app sandbox — treat any app-level crash or anomalous MIG error return from is_io_connect_async_method as a potential exploitation attempt against IOSurfaceRootUserClient.
  • ·The double-free is only triggered when a MIG method returns an error after already consuming the wake_port reference — detection logic must account for the MIG ownership rule: error return means MIG drops its own reference on top of the one already released by the external method.
  • ·PoC was validated on iOS 11.0.3 (11A432) on iPhone 6s and macOS 10.13 (17A365) on MacBookAir5,2 — detections should be scoped to 64-bit devices running pre-patch OS versions (iOS < 11.2, tvOS < 11.2, watchOS < 4.2).

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.