CVE-2018-4367
published 2019-04-03CVE-2018-4367: A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.50%
92.9th percentile
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 12.1 | 12.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected dylib injection into the AVConference process via insert_dylib or DYLD_INSERT_LIBRARIES targeting /usr/lib/mylib or similar non-standard paths. ↗
- →Alert on crashes or stack-check failures (stack_chk) in the AVConference process, particularly in the readSPSandGetDecoderParams function, which may indicate exploitation via malformed H264 streams. ↗
- →Detect modification of the AVConference binary (e.g., via bspatch) by monitoring file integrity of /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference against known-good hashes. ↗
- →Detect modification of the AVConference sandbox profile at /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb, which attackers alter to permit unauthorized file read/write access. ↗
- →Flag incoming FaceTime/RTP sessions that deliver unencrypted H264 packets with malformed SPS (Sequence Parameter Set) data, as the exploit relies on stripping encryption to send crafted packets. ↗
- ·The PoC requires physical or remote access to both host and target devices to set up dylib injection and binary patching; exploitation in the wild without this setup may differ. ↗
- ·The binary patch targets a specific AVConference version (MD5: 0de78198e29ae43e686f59d550150d1b); the exploit may not function against other versions without re-patching. ↗
- ·The exploit triggers on call acceptance by the victim; no user interaction beyond answering a FaceTime call is required for code execution. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xm84-45f4-g8g6: A memory corruption issue was addressed with improved input validation
ghsa_unreviewed·2022-05-14
CVE-2018-4367 [CRITICAL] CWE-119 GHSA-xm84-45f4-g8g6: A memory corruption issue was addressed with improved input validation
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.
Project0
Adventures in Video Conferencing Part 2: Fun with FaceTime - Project Zero
project_zero·2018-12-01
CVE-2018-4366 Adventures in Video Conferencing Part 2: Fun with FaceTime - Project Zero
Posted by Natalie Silvanovich, Project Zero
FaceTime is Apple’s video conferencing application for iOS and Mac. It is closed source, and does not appear to use any third-party libraries for its core functionality. I wondered whether fuzzing the contents of FaceTime’s audio and video streams would lead to similar results as WebRTC.
Fuzzing Set-up
Philipp Hancke performed an excellent analysis of FaceTime’s architecture in 2015. It is similar to WebRTC, in that it exchanges signalling information in SDP format and then uses RTP for audio and video streams. Looking at the FaceTime implementation on a Mac, it seemed the bulk of the calling functionality of FaceTime is in a daemon called avconferenced. Opening up the binary that supports its functionality, AVConference in IDA, it contains
Apple
CVE-2018-4367: iOS 12.1
vendor_apple·2018-10-30·CVSS 9.8
CVE-2018-4367 [CRITICAL] CVE-2018-4367: iOS 12.1
Apple Security Update: About the security content of iOS 12.1
Product: iOS
Version: 12.1
CVE: CVE-2018-4367
Component: FaceTime
Impact: A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
No detection rules found.
No writeups or analysis indexed.
2019-04-03
Published