CVE-2017-13861
published 2017-12-25CVE-2017-13861: An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue…
PriorityP356high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
14.89%
96.3th percentile
An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOSurface" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 11.2 | 11.2 |
| apple | tvos | < 11.2 | 11.2 |
| apple | tvos | — | — |
| apple | watchos | < 4.2 | 4.2 |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for repeated calls to IOSurfaceRootUserClient external method 17 (s_set_surface_notify) with the same callback function — the double-free is triggered when a second registration attempt causes releaseAsyncReference64 to drop a reference and then MIG drops a second reference on the same wake_port. ↗
- →Detect exploitation chain where a Safari/WebKit renderer process (CVE-2018-4233) maps and executes a second-stage Mach-O containing the async_wake exploit (CVE-2017-13861) to obtain a kernel task port (TFP0) — look for unusual mach port privilege escalation from a browser child process. ↗
- →Alert on processes overwriting kernel credential and sandbox structures, or injecting code-signature hashes into the kernel trust cache — post-exploitation indicators of a successful async_wake / TFP0 privilege escalation. ↗
- →The vulnerability is reachable from within the iOS app sandbox — treat any app-level crash or anomalous MIG error return from is_io_connect_async_method as a potential exploitation attempt against IOSurfaceRootUserClient. ↗
- ·The double-free is only triggered when a MIG method returns an error after already consuming the wake_port reference — detection logic must account for the MIG ownership rule: error return means MIG drops its own reference on top of the one already released by the external method. ↗
- ·PoC was validated on iOS 11.0.3 (11A432) on iPhone 6s and macOS 10.13 (17A365) on MacBookAir5,2 — detections should be scoped to 64-bit devices running pre-patch OS versions (iOS < 11.2, tvOS < 11.2, watchOS < 4.2). ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-13861: watchOS 4.2
vendor_apple·2017-12-05·CVSS 7.8
CVE-2017-13861 [HIGH] CVE-2017-13861: watchOS 4.2
Apple Security Update: About the security content of watchOS 4.2
Product: watchOS
Version: 4.2
CVE: CVE-2017-13861
Component: IOSurface
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2017-13861: tvOS 11.2
vendor_apple·2017-12-04·CVSS 7.8
CVE-2017-13861 [HIGH] CVE-2017-13861: tvOS 11.2
Apple Security Update: About the security content of tvOS 11.2
Product: tvOS
Version: 11.2
CVE: CVE-2017-13861
Component: IOSurface
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2017-13861: iOS 11.2
vendor_apple·2017-12-02·CVSS 7.8
CVE-2017-13861 [HIGH] CVE-2017-13861: iOS 11.2
Apple Security Update: About the security content of iOS 11.2
Product: iOS
Version: 11.2
CVE: CVE-2017-13861
Component: IOSurface
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
GHSA
GHSA-wh5x-25pj-vqhp: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2017-13861 [HIGH] CWE-119 GHSA-wh5x-25pj-vqhp: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOSurface" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Project0
A survey of recent iOS kernel exploits - Project Zero
project_zero·2020-06-01
CVE-2016-7644 A survey of recent iOS kernel exploits - Project Zero
Posted by Brandon Azad, Project Zero
I recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here.
This post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits.
This isn't your typical P0 blog post: There is no gripping zero-day exploitation, or novel exploitation research, or thrilling mal
Project0
In-the-wild iOS Exploit Chain 2 - Project Zero
project_zero·2019-08-01·CVSS 7.8
CVE-2017-13861 [HIGH] In-the-wild iOS Exploit Chain 2 - Project Zero
Posted by Ian Beer, Project Zero
TL;DR
This was an exploit for a known bug class which I had been auditing for since late 2016. The same anti-pattern which lead to this vulnerability, we’ll see again in Exploit Chain #3, which follows this post.
This exploit chain targets iOS 10.3 through 10.3.3. Interestingly, I also independently discovered and reported this vulnerability to Apple, and it was fixed in iOS 11.2.
This also demonstrates that Project Zero’s work does collide with bugs being exploited in the wild.
##
In-the-wild iOS Exploit Chain 2 - IOSurface
targets: 5s through 7, 10.3 through 10.3.3 (vulnerability patched in 11.2)
iPhone6,1 (5s, N51AP)
iPhone6,2 (5s, N53AP)
iPhone7,1 (6 plus, N56AP)
iPhone7,2 (6, N61AP)
iPhone8,1 (6s, N71AP)
iPhone8,2 (6s plus, N66AP)
iP
No detection rules found.
Exploit-DB
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
exploitdb·2019-01-25·CVSS 7.8
CVE-2019-6225 [HIGH] iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free
---
/*
* voucher_swap-poc.c
* Brandon Azad
*/
#if 0
iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free
The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612),
954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206),
and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and
mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the
problem is that MIG semantics are complicated and unintuitive and do not align well with the
kernel's abstractions.
Consider the MIG routine task_swap_mach_voucher():
routine task_swap_mach_voucher(
task : task_
Exploit-DB
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
exploitdb·2017-12-11·CVSS 7.8
CVE-2017-13861 [HIGH] Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
---
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]
If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.
If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method retur
Metasploit
Safari Webkit Proxy Object Type Confusion
metasploit·CVSS 7.8
CVE-2018-4233 [HIGH] Safari Webkit Proxy Object Type Confusion
Safari Webkit Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153148/Safari-Webkit-Proxy-Object-Type-Confusion.htmlhttp://www.securityfocus.com/bid/102134http://www.securitytracker.com/id/1039952http://www.securitytracker.com/id/1039953https://support.apple.com/HT208325https://support.apple.com/HT208327https://support.apple.com/HT208334https://www.exploit-db.com/exploits/43320/http://packetstormsecurity.com/files/153148/Safari-Webkit-Proxy-Object-Type-Confusion.htmlhttp://www.securityfocus.com/bid/102134http://www.securitytracker.com/id/1039952http://www.securitytracker.com/id/1039953https://support.apple.com/HT208325https://support.apple.com/HT208327https://support.apple.com/HT208334https://www.exploit-db.com/exploits/43320/
2017-12-25
Published