cbcvebase.
CVE-2018-4404
published 2019-01-11

CVE-2018-4404: In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.

PriorityP180high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.92%
96.1th percentile
In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.

Affected

6 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 11.411.4
applemac_os_x>= 10.13.0 < 10.13.510.13.5
applemacos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0
appletvos
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

filename20004312341.png
filenamessudo
filenameddss
filenamemac.zip
filenameupdate
filenameupdate.plist
processmacircloader
pathdata/exploits/CVE-2018-4233/stage1.bin
pathdata/exploits/CVE-2018-4404/stage2.dylib
  • CVE-2018-4404 is exploited as a second-stage privilege escalation via a logic error in libxpc, abusing launchd's 'spawn_via_launchd' API to achieve command execution with elevated privileges after an initial WebKit (CVE-2018-4233) compromise.
  • In LightSpy campaigns, CVE-2018-4404 is chained with CVE-2018-4233 (WebKit type confusion) to target macOS 10.13.3 and earlier via Safari. Detection should look for both CVEs being triggered in sequence from a browser process.
  • Monitor for a MachO binary delivered with a .png extension (e.g., '20004312341.png') being executed on macOS, which is indicative of the LightSpy first-stage dropper leveraging CVE-2018-4404.
  • Hunt for the 'macircloader' process on macOS systems, which is the LightSpy component responsible for downloading and executing the core implant and communicating with C2.
  • Detect persistence mechanism: monitor for a binary named 'update' being configured to run at startup (e.g., via a corresponding 'update.plist' LaunchAgent/LaunchDaemon plist), which is the LightSpy persistence method post-exploitation of CVE-2018-4404.
  • The Metasploit exploit module for CVE-2018-4404 loads a stage2 payload as a dylib ('stage2.dylib') injected into the browser process. Detect unexpected dylib loading from non-standard paths within Safari or WebKit processes.
  • The Metasploit module targets macOS versions up to 10.13.3 and warns that 10.13.4+ is not vulnerable. Prioritize detection on unpatched macOS 10.13.3 and earlier (also 10.12.6) systems.
  • ·The LightSpy macOS implant's active infections appear limited to testing environments at time of reporting; real-world victim scope may be narrow.
  • ·The Metasploit module's default payload is 'python/meterpreter/reverse_tcp', but it also supports command payloads. Detection rules should account for both Python and shell-based post-exploitation payloads.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.