Apple iOS Kernel组件安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1360586 漏洞类型 缓冲区错误
发布时间 2018-10-20 更新时间 2019-04-09
CVE编号 CVE-2018-4337 CNNVD-ID CNNVD-201810-1075
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018100171
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-1075
|漏洞详情
Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple tvOS是一套智能电视操作系统。Apple macOS Mojave是一套专为Mac计算机所开发的专用操作系统。Kernel是其中的一个内核组件。 多款Apple产品中的Kernel组件存在缓冲区错误漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。以下产品和版本受到影响:Apple iOS 12之前版本;macOS Mojave 10.14之前版本;tvOS 12之前版本;watchOS 5之前版本。
|漏洞EXP
iOS kernel UaF due to bad error handling in personas 

CVE-2018-4337


There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:

 In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
 
  error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
  if (error)
    goto out_error;

This jumps here:
  if (persona)
    persona_put(persona);

At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.

The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.

It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
 
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
 
It should be easy to fix up this PoC to run as root in your testing environment.



Found by: ianbeer

|参考资料

来源:packetstormsecurity.com

链接:http://packetstormsecurity.com/files/149870/iOS-Kernel-Personas-Use-After-Free.html