Difference between revisions of "CVE-2021-30807"

From The iPhone Wiki
Jump to: navigation, search
(brief summary)
 
m (Stop using wayback machine for the tweet link)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
On {{date|2021|07|26}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 14.7.1] with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as [[CVE-2021-30883]] which was fixed in 15.0.2.
 
On {{date|2021|07|26}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 14.7.1] with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as [[CVE-2021-30883]] which was fixed in 15.0.2.
   
binaryboy [http://web.archive.org/web/20210821232421/https://twitter.com/b1n4r1b01/status/1419734027565617165 published a quick crash PoC] on Twitter, but he later deleted it.
+
binaryboy [https://twitter.com/b1n4r1b01/status/1419734027565617165 published a quick crash PoC] on Twitter.
   
Saar Amar later [https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/ wrote a blog post and PoC] about this vulnerability. He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it.
+
Saar Amar later [https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/ wrote a blog post and PoC] for this vulnerability (like binaryboy's, this PoC just panics the kernel). He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it.
  +
  +
On {{date|2021|11|28}}, Justin Sherman released a [https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html more comprehensive writeup] and [https://github.com/jsherman212/iomfb-exploit exploit] which actually achieves kernel read/write primitives.
   
 
Calling the vulnerable method requires the <code>com.apple.private.allow-explicit-graphics-priority</code> entitlement, so it's not reachable from the normal app sandbox, but it ''is'' reachable from the WebContent process, so it could be chained with a WebKit exploit.
 
Calling the vulnerable method requires the <code>com.apple.private.allow-explicit-graphics-priority</code> entitlement, so it's not reachable from the normal app sandbox, but it ''is'' reachable from the WebContent process, so it could be chained with a WebKit exploit.

Latest revision as of 00:10, 29 November 2021

On 26 July 2021, Apple released iOS 14.7.1 with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as CVE-2021-30883 which was fixed in 15.0.2.

binaryboy published a quick crash PoC on Twitter.

Saar Amar later wrote a blog post and PoC for this vulnerability (like binaryboy's, this PoC just panics the kernel). He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it.

On 28 November 2021, Justin Sherman released a more comprehensive writeup and exploit which actually achieves kernel read/write primitives.

Calling the vulnerable method requires the com.apple.private.allow-explicit-graphics-priority entitlement, so it's not reachable from the normal app sandbox, but it is reachable from the WebContent process, so it could be chained with a WebKit exploit.

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.