iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware.In Hack in the Box conference, Donenfeld, a security researcher has demonstrated an exploit which can exploit all iOS devices running versions 10.3.1 and below.

Donenfeld works for Zimperium, the same company that discovered the notorious Stagefright vulnerability in the Android OS.

Following Apple’s introduction of self-signed applications, the attack surface for containerized applications on iOS is pretty constant. Apple is doing a good job in improving its security, from narrowing down the attack surface to introducing new mitigations, both from a software and a hardware perspective. As a side effect of these efforts, most of the attack surface that is not accessible by a containerized application is often ignored. – Adam Donenfeld

This exploit, dubbed ZIVA was made by combining 8 previously exposed vulnerabilities of which 7 of them are in in AppleAVEDriver.kext and one in the iOSurface kernel extension.

About Vulnerabilities

Apple AVEDriver

CVE-ID Component Impact Summary CVE-2017-6979 IOSurface.kext Elevation of Privileges A race condition

vulnerability inside IOSurface.kext driver; enables an attacker

to bypass sanity checks, for the creation of an IOSurface object. CVE-2017-6989 AppleAVE.kext Information Disclosure A vulnerability in the

AppleAVE.kext kernel extension; enables an attacker to drop the

refcount of any IOSurface object in the kernel. CVE-2017-6994 AppleAVE.kext Elevation of Privileges An information disclosure

vulnerability in the AppleAVE.kext kernel extension; enables an

attacker to leak the kernel address of any IOSurface object in the

system. CVE-2017-6995 AppleAVE.kext Information

Disclosure/DoS/EoP A type confusion

vulnerability in the AppleAVE.kext kernel extension; enables an

attacker to send an arbitrary kernel pointer which will be used by

the kernel as a pointer to a valid IOSurface object. CVE-2017-6996 AppleAVE.kext Information

Disclosure/DoS/EoP An attacker can free any

memory block of size 0x28. CVE-2017-6997 AppleAVE.kext Information

Disclosure/DoS/EoP An attacker can free any

pointer of size 0x28. CVE-2017-6998 AppleAVE.kext Information

Disclosure/DoS/EoP An attacker can hijack

kernel code execution due to a type confusion CVE-2017-6999 AppleAVE.kext Information

Disclosure/DoS/EoP A user-controlled pointer is

zeroed.

IOSurface

CVE-2017-6979

Impact

This iOS exploit is a chain of 8 known vulnerabilities and this could lead to Privilage escalation, DOS, Information Disclosure, as well as access to various sensor data and even take full control over the device. An attacker could exploit this vulnerability by installing a crafted application on the affected system. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges on the system. This may also allows attackers to bypass privacy settings for contacts, look up location search histories, access system file metadata, obtain a user’s name and media library, consume disk storage space (in such a manner that uninstalling the app won’t recover it), block access to system resources, and allow apps to share information with each other without permission.

Exploit Code

The fully functioning iOS exploit code has been released and is now available for download. Follow this link for ZIVA Exploit.

Patch

Apple have already issued a patch for the flaws with version 10.3.2. iOS users who updated their device to the latest iOS version should be protected.

Comments

comments