As part of zLab’s platform research team, I’ve tried to investigate an area of the kernel that wasn’t thoroughly researched before. After digging into some of Apple’s closed-source kernel modules, one code chunk led to another and I’ve noticed a little-known module, which I’ve never seen before, called AppleAVE.
AppleAVE was written neglecting basic security fundamentals, to the extent that the vulnerabilities described below were sufficient to pwn the kernel and gain arbitrary RW and root. Needless to say, due to the defragmentation of Apple’s codebase for iOS, every iOS device running 10.3.1 or lower is currently vulnerable.
I’ve responsibly disclosed the vulnerabilities and Apple issued a security patch.
Apple’s recent security patch that was shipped along with iOS 10.3.2, addresses 8 vulnerabilities I discovered: one vulnerability in the IOSurface kernel extension the other 7 in AppleAVEDriver.kext.
These vulnerabilities would allow elevation of privileges which ultimately can be used by the attacker to take complete control over affected devices.
The following table summarizes of the vulnerabilities, as sent to Apple:
| CVE-ID | Component | Impact | Summary |
| CVE-2017-6979 | IOSurface.kext | Elevation of Privileges | A race condition vulnerability inside IOSurface.kext driver; enables an attacker to bypass sanity checks, for the creation of an IOSurface object. |
| CVE-2017-6989 | AppleAVE.kext | Information Disclosure | A vulnerability in the AppleAVE.kext kernel extension; enables an attacker to drop the refcount of any IOSurface object in the kernel. |
| CVE-2017-6994 | AppleAVE.kext | Elevation of Privileges | An information disclosure vulnerability in the AppleAVE.kext kernel extension; enables an attacker to leak the kernel address of any IOSurface object in the system. |
| CVE-2017-6995 | AppleAVE.kext | Information Disclosure/DoS/EoP |
A type confusion vulnerability in the AppleAVE.kext kernel extension; enables an attacker to send an arbitrary kernel pointer which will be used by the kernel as a pointer to a valid IOSurface object. |
| CVE-2017-6996 | AppleAVE.kext | Information Disclosure/DoS/EoP |
An attacker can free any memory block of size 0x28. |
| CVE-2017-6997 | AppleAVE.kext | Information Disclosure/DoS/EoP |
An attacker can free any pointer of size 0x28. |
| CVE-2017-6998 | AppleAVE.kext | Information Disclosure/DoS/EoP |
An attacker can hijack kernel code execution due to a type confusion |
| CVE-2017-6999 | AppleAVE.kext | Information Disclosure/DoS/EoP |
A user-controlled pointer is zeroed. |
Additional technical information, including a PoC, will be released soon to Zimperium Handset Alliance and afterward to the public. The public release is currently delayed upon Apple’s request.
I would like to thank Apple for their incredible, responsible and fast security team, for addressing those vulnerabilities quickly and efficiently.
Zimperium offers protection against known and unknown threats targeting Apple iOS and Google Android devices. Zimperium’s patented machine-learning technology, z9, has detected every discovered exploit over the last five years without requiring updates. z9 protects users in real-time with on-device detection that does not suffer from the delays and limitations of cloud-only detection approaches.
Zimperium’s renowned zLabs performs extensive research on mobile and IoT operating systems to stay ahead of the evolving cybersecurity landscape. zLabs has identified and disclosed numerous vulnerabilities, and is the creator of the Zimperium Handset Alliance and the mobile N-Days Exploit Acquisition Program.
