Zimperium zLabs iOS Security Advisories

As part of zLab’s platform research team, I’ve tried to investigate an area of the kernel that wasn’t thoroughly researched before.  After digging into some of Apple’s closed-source kernel modules, one code chunk led to another and I’ve noticed a little-known module, which I’ve never seen before, called AppleAVE.

AppleAVE was written neglecting basic security fundamentals, to the extent that the vulnerabilities described below were sufficient to pwn the kernel and gain arbitrary RW and root. Needless to say, due to the defragmentation of Apple’s codebase for iOS, every iOS device running 10.3.1 or lower is currently vulnerable.

I’ve responsibly disclosed the vulnerabilities and Apple issued a security patch.

Apple’s recent security patch that was shipped along with iOS 10.3.2, addresses 8 vulnerabilities I discovered: one vulnerability in the IOSurface kernel extension the other 7 in AppleAVEDriver.kext.

These vulnerabilities would allow elevation of privileges which ultimately can be used by the attacker to take complete control over affected devices.

The following table summarizes of the vulnerabilities, as sent to Apple:

CVE-ID Component Impact Summary
CVE-2017-6979 IOSurface.kext Elevation of Privileges A race condition
vulnerability inside IOSurface.kext driver; enables an attacker
to bypass sanity checks, for the creation of an IOSurface object.
CVE-2017-6989 AppleAVE.kext Information Disclosure A vulnerability in the
AppleAVE.kext kernel extension; enables an attacker to drop the
refcount of any IOSurface object in the kernel.
CVE-2017-6994 AppleAVE.kext Elevation of Privileges An information disclosure
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to leak the kernel address of any IOSurface object in the
system.
CVE-2017-6995 AppleAVE.kext Information
Disclosure/DoS/EoP
A type confusion
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to send an arbitrary kernel pointer which will be used by
the kernel as a pointer to a valid IOSurface object.
CVE-2017-6996 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can free any
memory block of size 0x28.
CVE-2017-6997 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can free any
pointer of size 0x28.
CVE-2017-6998 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can hijack
kernel code execution due to a type confusion
CVE-2017-6999 AppleAVE.kext Information
Disclosure/DoS/EoP
A user-controlled pointer is
zeroed.

Additional technical information, including a PoC, will be released soon to Zimperium Handset Alliance and afterward to the public. The public release is currently delayed upon Apple’s request.

I would like to thank Apple for their incredible, responsible and fast security team, for addressing those vulnerabilities quickly and efficiently.

Zimperium offers protection against known and unknown threats targeting Apple iOS and Google Android devices. Zimperium’s patented machine-learning technology, z9, has detected every discovered exploit over the last five years without requiring updates. z9 protects users in real-time with on-device detection that does not suffer from the delays and limitations of cloud-only detection approaches.  

Zimperium’s renowned zLabs performs extensive research on mobile and IoT operating systems to stay ahead of the evolving cybersecurity landscape. zLabs has identified and disclosed numerous vulnerabilities, and is the creator of the Zimperium Handset Alliance and the mobile N-Days Exploit Acquisition Program


Follow Us