CVE-2017-2370
published 2017-02-20CVE-2017-2370: An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS…
PriorityP354high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.36%
95.4th percentile
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (buffer overflow) via a crafted app.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 10.2.1 | 10.2.1 |
| apple | mac_os_x | < 10.12.3 | 10.12.3 |
| apple | macos_sierra | — | — |
| apple | tvos | < 10.1.1 | 10.1.1 |
| apple | tvos | — | — |
| apple | watchos | < 3.1.3 | 3.1.3 |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for userspace calls to the `mach_voucher_extract_attr_recipe_trap` Mach trap with a crafted `recipe_size` userspace pointer designed to trigger a kernel heap overflow; the trap is callable from any context and requires no special privileges. ↗
- →Detect exploitation attempts where the `recipe_size` argument (a userspace pointer) is passed as the `size` parameter to `copyin` instead of the validated `sz` value, enabling a fully controlled kernel heap overflow. ↗
- →Flag processes on macOS Sierra 10.12.1 (build 16B2555) or iOS 10.2 (iPod Touch 6G, build 14C92) invoking `mach_voucher_extract_attr_recipe_trap` with a `sz` value between 256 (MACH_VOUCHER_TRAP_STACK_LIMIT) and 5120 (MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE), which triggers the vulnerable heap allocation path. ↗
- ·The vulnerability exists in the Kernel component across multiple Apple platforms; patched versions are iOS 10.2.1, macOS Sierra 10.12.3, tvOS 10.1.1, and watchOS 3.1.3 — detections should be scoped to devices running older versions. ↗
- ·The PoC exploit specifically targets macOS Sierra 10.12.1 (build 16B2555) and iOS 10.2 on iPod Touch 6G (build 14C92); detections tuned to these exact builds will have the highest fidelity. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-2370: watchOS 3.1.3
vendor_apple·2017-01-23·CVSS 7.8
CVE-2017-2370 [HIGH] CVE-2017-2370: watchOS 3.1.3
Apple Security Update: About the security content of watchOS 3.1.3
Product: watchOS
Version: 3.1.3
CVE: CVE-2017-2370
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
Apple
CVE-2017-2370: iOS 10.2.1
vendor_apple·2017-01-23·CVSS 7.8
CVE-2017-2370 [HIGH] CVE-2017-2370: iOS 10.2.1
Apple Security Update: About the security content of iOS 10.2.1
Product: iOS
Version: 10.2.1
CVE: CVE-2017-2370
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
Apple
CVE-2017-2370: tvOS 10.1.1
vendor_apple·2017-01-23·CVSS 7.8
CVE-2017-2370 [HIGH] CVE-2017-2370: tvOS 10.1.1
Apple Security Update: About the security content of tvOS 10.1.1
Product: tvOS
Version: 10.1.1
CVE: CVE-2017-2370
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
Apple
CVE-2017-2370: macOS Sierra 10.12.3
vendor_apple·2017-01-23·CVSS 7.8
CVE-2017-2370 [HIGH] CVE-2017-2370: macOS Sierra 10.12.3
Apple Security Update: About the security content of macOS Sierra 10.12.3
Product: macOS Sierra
Version: 10.12.3
CVE: CVE-2017-2370
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
GHSA
GHSA-5p8h-f8cp-mr9j: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2017-2370 [HIGH] CWE-119 GHSA-5p8h-f8cp-mr9j: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (buffer overflow) via a crafted app.
Project0
An iOS hacker tries Android - Project Zero
project_zero·2020-12-01·CVSS 7.8
CVE-2017-2370 [HIGH] An iOS hacker tries Android - Project Zero
Written by Brandon Azad, when working at Project Zero
One of the amazing aspects of working at Project Zero is having the flexibility to direct my own research agenda. My prior work has almost exclusively focused on iOS exploitation, but back in August, I thought it could be interesting to try writing a kernel exploit for Android to see how it compares. I have two aims for this blog post: First, I will walk you through my full journey from bug description to kernel read/write/execute on the Samsung Galaxy S10, starting from the perspective of a pure-iOS security researcher. Second, I will try to emphasize some of the major security/exploitation differences between the two platforms that I have observed.
You can find the fully-commented exploit code attached in issue 2073.
In November
Project0
A survey of recent iOS kernel exploits - Project Zero
project_zero·2020-06-01
CVE-2016-7644 A survey of recent iOS kernel exploits - Project Zero
Posted by Brandon Azad, Project Zero
I recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here.
This post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits.
This isn't your typical P0 blog post: There is no gripping zero-day exploitation, or novel exploitation research, or thrilling mal
Project0
Exception-oriented exploitation on iOS - Project Zero
project_zero·2017-04-01·CVSS 7.8
CVE-2017-2370 [HIGH] Exception-oriented exploitation on iOS - Project Zero
Posted by Ian Beer, Project Zero
This post covers the discovery and exploitation of CVE-2017-2370, a heap buffer overflow in the mach_voucher_extract_attr_recipe_trap mach trap. It covers the bug, the development of an exploitation technique which involves repeatedly and deliberately crashing and how to build live kernel introspection features using old kernel exploits.
It’s a trap!
Alongside a large number of BSD syscalls (like ioctl, mmap, execve and so on) XNU also has a small number of extra syscalls supporting the MACH side of the kernel called mach traps. Mach trap syscall numbers start at 0x1000000. Here’s a snippet from the syscall_sw.c file where the trap table is defined:
/* 12 */ MACH_TRAP(_kernelrpc_mach_vm_deallocate_trap, 3, 5, munge_wll),
/* 13 */ MACH_TRAP(kern_inva
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/95731http://www.securitytracker.com/id/1037668https://bugs.chromium.org/p/project-zero/issues/detail?id=1004https://support.apple.com/HT207482https://support.apple.com/HT207483https://support.apple.com/HT207485https://support.apple.com/HT207487https://www.exploit-db.com/exploits/41163/http://www.securityfocus.com/bid/95731http://www.securitytracker.com/id/1037668https://bugs.chromium.org/p/project-zero/issues/detail?id=1004https://support.apple.com/HT207482https://support.apple.com/HT207483https://support.apple.com/HT207485https://support.apple.com/HT207487https://www.exploit-db.com/exploits/41163/
2017-02-20
Published