关联漏洞
标题:
Apple iOS 和 iPadOS 竞争条件问题漏洞
(CVE-2021-30955)
描述:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS and iPadOS Kernel 存在竞争条件问题漏洞,该漏洞源于恶意的应用程序可以使用内核特权执行任意代码。以下产品及版本受到影响:iPhone 6s及以上、iPad Pro(所有型号)、iPad Air 2及以上、iPad 5及以上、iPad mini 4及以上、iPod touch(
描述
desc_race exploit for iOS 15.0 - 15.1.1 (with stable kernel r/w primitives) (CVE-2021-30955)
介绍
# desc_race
"desc_race" (CVE-2021-30955) exploit for iOS 15.0 - 15.1.1 (with stable kernel r/w primitives)
# Exploit Method
1. Increase the capacity of IOSurfaceClient
array to 0x2000, goal is to write a pointer whose
content is totally controlled and then use IOSurfaceRootUserClient
interfaces to achieve kernel r/w. The size of the array is 0x2000 * 8 bytes
thus resides in large map of KHEAP_KEXT which is same as KHEAP_DEFAULT.
2. Then allocate a 0x4000 bytes kernel buffer using an assistant kmsg with 0x4000 bytes
ool descriptor which will be overwritten from the back. And then trigger the bug
with the allocated message, called double copyin kmsg,
placed just behind the assistant kernel buffer. And this message
contains a ool ports descriotpor whose count is 0x2000
thus will be rather close to the IOSurfaceClient array.
3. Then you should receive the assistant message. If racing succeeds,
the ool ports descriotpor will be disclosed and
we could locate the IOSurfaceClient array address.
4. Then allocate a 0x4000 bytes kernel buffer again, this will
occupy the aforementioned kernel buffer. This time I construct a fake
kmsg header with proper body. Then I destroy the double
copyin kmsg, kernel will begin with our fake header.
I use a fake mach_msg_ool_descriotpor_t and trigger.
**vm_copy_discard()** with a totally controlled copy.
During the destroying of the copy, the most valuable
lines are in **_vm_map_entry_unlink_ll**:
```
1
2
3
4
5
6
#define _vm_map_entry_unlink_ll(hdr, entry) \
MACRO_BEGIN \
(hdr)->nentries--; \
(entry)->vme_next->vme_prev = (entry)->vme_prev; \
(entry)->vme_prev->vme_next = (entry)->vme_next; \
MACRO_END
```
The **entry** is under our control, this give us a perfect
r/w primitive. I use this to write a controlled pointer
to the IOSurfaceClient array, and then achieve kernel
r/w combined with IOSurfaceRootUserClient interfaces.
I have read bazad’s post One byte to rule them all time and
time again during developing this exploit, and used the same
technique, faking vm_copy_t, in his exploit. But there are
some points differ.
1. XNU signs the message and we can no longer receive a
corrupted kmsg.
2. In the destroying procedure, I set vm_object’s mapping_in_progress
to let the kernel spin thus won’t panic due to zone
check.
Much thanks to bazad for his great post, and WangTielei for
letting me know that IOSurfaceClient interfaces are now invalid
for r/w primitive, and pedantcoder for his kindness.
文件快照
[4.0K] /data/pocs/055c33bbb9680a216faee8cb633b91083e0933d6
├── [ 174] AppDelegate.h
├── [1.3K] AppDelegate.m
├── [4.0K] Assets.xcassets
│ ├── [4.0K] AccentColor.colorset
│ │ └── [ 123] Contents.json
│ ├── [4.0K] AppIcon.appiconset
│ │ └── [1.6K] Contents.json
│ └── [ 63] Contents.json
├── [4.0K] Base.lproj
│ ├── [1.6K] LaunchScreen.storyboard
│ └── [1.6K] Main.storyboard
├── [4.0K] common
│ ├── [ 17K] KernelRW.cpp
│ ├── [1.7K] KernelRW.hpp
│ ├── [1.2K] libgeneral_exception.cpp
│ ├── [ 971] libgeneral_exception.hpp
│ └── [2.1K] macros.h
├── [4.0K] exploit
│ ├── [6.9K] desc_race.c
│ ├── [ 211] desc_race.h
│ ├── [7.0K] iokit.h
│ ├── [ 34K] LICENSE
│ ├── [ 207] README.md
│ ├── [ 26K] spray_stuff.c
│ ├── [1.0K] spray_stuff.h
│ ├── [2.2K] stage3.cpp
│ └── [ 249] stage3.h
├── [2.0K] Info.plist
├── [ 438] main.m
├── [2.6K] README.md
├── [ 227] SceneDelegate.h
├── [2.1K] SceneDelegate.m
├── [ 161] ViewController.h
└── [ 501] ViewController.m
6 directories, 28 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。