Apple ios kernel useafterfree due to bad error handling in personas Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-10-22 |
Type : dos |
Platform : ios
This exploit / vulnerability Apple ios kernel useafterfree due to bad error handling in personas is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
/*
There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:
In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
if (error)
goto out_error;
This jumps here:
if (persona)
persona_put(persona);
At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.
The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.
It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
It should be easy to fix up this PoC to run as root in your testing environment.
*/
/*
iOS kernel UaF due to bad error handling in personas
There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient:
In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can cause this copyout to fail:
error = copyout(&persona->pna_id, idp, sizeof(persona->pna_id));
if (error)
goto out_error;
This jumps here:
if (persona)
persona_put(persona);
At this point the persona is actually in the global list and the reference has been transfered there; this code
is mistakenly assuming that userspace can't still race a dealloc call because it doesn't know the id.
The id is attacker controlled so it's easy to still race this (ie we call persona_alloc in one thread, and dealloc in another),
causing an extra call to persona_put.
It's probably possible to make the failing copyout take a long time,
allowing us to gc and zone-swap the page leading to the code attempting to drop a ref on a different type.
This PoC has been tested on iOS 11.3.1 because it requires root. I have taken a look at an iOS 12 beta and it looks like the vuln
is still there, but I cannot test it.
It should be easy to fix up this PoC to run as root in your testing environment.
*/