CVE-2019-6225: A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application…

CVE-2019-6225 [HIGH] CWE-787 GHSA-8mrj-hp45-r838: A memory corruption issue was addressed with improved validation A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application may be able to elevate privileges.

CVE-2016-7644 A survey of recent iOS kernel exploits - Project Zero Posted by Brandon Azad, Project Zero I recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here. This post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits. This isn't your typical P0 blog post: There is no gripping zero-day exploitation, or novel exploitation research, or thrilling mal

CVE-2019-6225 [HIGH] In-the-wild iOS Exploit Chain 5 - Project Zero Posted by Ian Beer, Project Zero TL;DR This exploit chain is a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 security. On November 17th 2018, @S0rryMybad used this vulnerability to win $200,000 USD at the TianFu Cup PWN competition. Brandon Azad independently discovered and reported the same issue to Apple on December 6th, 2018. Apple patched this issue on January 22, 2019, with both @S0rryMyBad and Brandon credited in the release notes for iOS 12.1.4 (CVE-2019-6225). It even won a pwnie at Blackhat 2019 for best privilege escalation bug! So, why did the attackers, who already possessed then-functioning iOS Exploit Chain 4 (that contained the 0-days reported to Apple in February 2019), leave that chain and move to this bra

CVE-2019-6225 [HIGH] voucher_swap: Exploiting MIG reference counting in iOS 12 - Project Zero Posted by Brandon Azad, Project Zero In this post I'll describe how I discovered and exploited CVE-2019-6225, a MIG reference counting vulnerability in XNU's task_swap_mach_voucher() function. We'll see how to exploit this bug on iOS 12.1.2 to build a fake kernel task port, giving us the ability to read and write arbitrary kernel memory. (This bug was independently discovered by @S0rryMybad.) In a later post, we'll look at how to use this bug as a starting point to analyze and bypass Apple's implementation of ARMv8.3 Pointer Authentication (PAC) on A12 devices like the iPhone XS. A curious discovery MIG is a tool that generates Mach message parsing code, and vulnerabilities resulting from violating MIG semantics are nothing new: for example, Ian Beer's async_wake exploited an issue whe

CVE-2019-6225 [HIGH] CVE-2019-6225: macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra Apple Security Update: About the security content of macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra Product: macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra CVE: CVE-2019-6225 Component: Kernel Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved validation.

CVE-2019-6225 [HIGH] CVE-2019-6225: iOS 12.1.3 Apple Security Update: About the security content of iOS 12.1.3 Product: iOS Version: 12.1.3 CVE: CVE-2019-6225 Component: Kernel Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved validation.

CVE-2019-6225 [HIGH] CVE-2019-6225: tvOS 12.1.2 Apple Security Update: About the security content of tvOS 12.1.2 Product: tvOS Version: 12.1.2 CVE: CVE-2019-6225 Component: Kernel Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved validation.

CVE-2019-6225 [HIGH] iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free --- /* * voucher_swap-poc.c * Brandon Azad */ #if 0 iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612), 954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206), and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the problem is that MIG semantics are complicated and unintuitive and do not align well with the kernel's abstractions. Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_

Apple iOS 12.1.3 Security Updates Address Multiple Vulnerabilities ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

CVE-2019-6227 [HIGH] Apple iOS 12.1.3 Security Updates Address Multiple Vulnerabilities Blog / Cyber Exposure Alerts Subscribe # Apple iOS 12.1.3 Security Updates Address Multiple Vulnerabilities Ryan Seguin January 23, 2019 2 Min Read Apple has released iOS 12.1.3 to fix 31 CVEs including a FaceTime remote code execution vulnerability ### Background On January 22, Apple released iOS 12.1.3, which includes fixes for 31 different CVEs across multiple apps and services. This update also includes fixes for CVE-2019-6227 and CVE-2019-6225, which security researcher Qixun Zhao of Qihoo 360 Vulcan Team reportedly used in a code execution attack through FaceTime. The attack requires a user to tap on a malicious link, which could be achieved through social engineering. ### Analysis An attacker could craft a malicious FaceTime link that, when clicked, exploits a kernel bug in