cbcvebase.
CVE-2018-4367
published 2019-04-03

CVE-2018-4367: A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.50%
92.9th percentile
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to iOS 12.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 12.112.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45787.zip
path/System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference
path/System/Library/Sandbox/Profiles/com.apple.avconferenced.sb
  • Monitor for unexpected dylib injection into the AVConference process via insert_dylib or DYLD_INSERT_LIBRARIES targeting /usr/lib/mylib or similar non-standard paths.
  • Alert on crashes or stack-check failures (stack_chk) in the AVConference process, particularly in the readSPSandGetDecoderParams function, which may indicate exploitation via malformed H264 streams.
  • Detect modification of the AVConference binary (e.g., via bspatch) by monitoring file integrity of /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference against known-good hashes.
  • Detect modification of the AVConference sandbox profile at /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb, which attackers alter to permit unauthorized file read/write access.
  • Flag incoming FaceTime/RTP sessions that deliver unencrypted H264 packets with malformed SPS (Sequence Parameter Set) data, as the exploit relies on stripping encryption to send crafted packets.
  • ·The PoC requires physical or remote access to both host and target devices to set up dylib injection and binary patching; exploitation in the wild without this setup may differ.
  • ·The binary patch targets a specific AVConference version (MD5: 0de78198e29ae43e686f59d550150d1b); the exploit may not function against other versions without re-patching.
  • ·The exploit triggers on call acceptance by the victim; no user interaction beyond answering a FaceTime call is required for code execution.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.