CVE-2018-4404
published 2019-01-11CVE-2018-4404: In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.
PriorityP180high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.92%
96.1th percentile
In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 11.4 | 11.4 |
| apple | mac_os_x | >= 10.13.0 < 10.13.5 | 10.13.5 |
| apple | macos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0 | — | — |
| apple | tvos | — | — |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2018-4404 is exploited as a second-stage privilege escalation via a logic error in libxpc, abusing launchd's 'spawn_via_launchd' API to achieve command execution with elevated privileges after an initial WebKit (CVE-2018-4233) compromise. ↗
- →In LightSpy campaigns, CVE-2018-4404 is chained with CVE-2018-4233 (WebKit type confusion) to target macOS 10.13.3 and earlier via Safari. Detection should look for both CVEs being triggered in sequence from a browser process. ↗
- →Monitor for a MachO binary delivered with a .png extension (e.g., '20004312341.png') being executed on macOS, which is indicative of the LightSpy first-stage dropper leveraging CVE-2018-4404. ↗
- →Hunt for the 'macircloader' process on macOS systems, which is the LightSpy component responsible for downloading and executing the core implant and communicating with C2. ↗
- →Detect persistence mechanism: monitor for a binary named 'update' being configured to run at startup (e.g., via a corresponding 'update.plist' LaunchAgent/LaunchDaemon plist), which is the LightSpy persistence method post-exploitation of CVE-2018-4404. ↗
- →The Metasploit exploit module for CVE-2018-4404 loads a stage2 payload as a dylib ('stage2.dylib') injected into the browser process. Detect unexpected dylib loading from non-standard paths within Safari or WebKit processes. ↗
- →The Metasploit module targets macOS versions up to 10.13.3 and warns that 10.13.4+ is not vulnerable. Prioritize detection on unpatched macOS 10.13.3 and earlier (also 10.12.6) systems. ↗
- ·The LightSpy macOS implant's active infections appear limited to testing environments at time of reporting; real-world victim scope may be narrow. ↗
- ·The Metasploit module's default payload is 'python/meterpreter/reverse_tcp', but it also supports command payloads. Detection rules should account for both Python and shell-based post-exploitation payloads. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2018-4404: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
vendor_apple·2018-06-01·CVSS 8.8
CVE-2018-4404 [HIGH] CVE-2018-4404: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
Product: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
CVE: CVE-2018-4404
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
Apple
CVE-2018-4404: tvOS 11.4
vendor_apple·2018-05-29·CVSS 8.8
CVE-2018-4404 [HIGH] CVE-2018-4404: tvOS 11.4
Apple Security Update: About the security content of tvOS 11.4
Product: tvOS
Version: 11.4
CVE: CVE-2018-4404
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
Apple
CVE-2018-4404: iOS 11.4
vendor_apple·2018-05-29·CVSS 8.8
CVE-2018-4404 [HIGH] CVE-2018-4404: iOS 11.4
Apple Security Update: About the security content of iOS 11.4
Product: iOS
Version: 11.4
CVE: CVE-2018-4404
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2018-4404: watchOS 4.3.1
vendor_apple·2018-05-29·CVSS 8.8
CVE-2018-4404 [HIGH] CVE-2018-4404: watchOS 4.3.1
Apple Security Update: About the security content of watchOS 4.3.1
Product: watchOS
Version: 4.3.1
CVE: CVE-2018-4404
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
GHSA
GHSA-gqp4-fjf3-jx5v: In iOS before 11
ghsa_unreviewed·2022-05-14
CVE-2018-4404 [HIGH] CWE-119 GHSA-gqp4-fjf3-jx5v: In iOS before 11
In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.
VulnCheck
Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2018·CVSS 8.8
CVE-2018-4404 [HIGH] Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer
Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer
In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.
Affected: Apple iphone_os
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.threatfabric.com/blogs/lightspy-implant-for-macos
No detection rules found.
Exploit-DB
Safari - Proxy Object Type Confusion (Metasploit)
exploitdb·2018-12-14·CVSS 8.8
CVE-2018-4404 [HIGH] Safari - Proxy Object Type Confusion (Metasploit)
Safari - Proxy Object Type Confusion (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Safari Proxy Object Type Confusion',
'Description' => %q{
This module exploits a type confusion bug in the Javascript Proxy object in
WebKit. The DFG JIT does not take into account that, through the use of a Proxy,
it is possible to run arbitrary JS code during the execution of a CreateThis
operation. This makes it possible to change the structure of e.g. an argument
without causing a bailout, leading to a type confusion (CVE-2018-4233).
The JIT region is then replaced with shellcode which loads the second stage.
The second stage exploits a logic error in libxpc, which uses
Metasploit
Safari Proxy Object Type Confusion
metasploit·CVSS 8.8
CVE-2018-4233 [HIGH] Safari Proxy Object Type Confusion
Safari Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's "spawn_via_launchd" API (CVE-2018-4404).
2019-01-11
Published
Exploited in the wild