An obscure Apple kernel extension patched in July in iOS 10.3.3 was originally built without security measures in place, according to the researcher who privately disclosed the flaws.
Today at the Hack in the Box security conference in Singapore, Zimperium zLabs’ Adam Donenfeld was scheduled to disclose details on seven flaws he found in the AppleAVEDriver.kext, a video encoder kernel extension, as well as another critical issue in the IOSurface.kext.
Donenfeld said he was able to chain together several of the vulnerabilities in order to locally elevate privileges and control an iOS device. There wasn’t much of an impediment from the AVE kernel extension.
“It feels like they assumed that there are no attackers out there; it was like they didn’t think someone would abuse it. There were no security measures at all,” Donenfeld said. “It was as if they didn’t consider the kernel different from userland.”
Donenfeld said that, for example, there were kernel pointers inside userland.
“The user is not supposed to have access to that information,” he said. “[Apple] completely ignored that fact.”
The bugs were believed fixed initially in May in iOS 10.3.2, but Apple asked Donenfeld to keep the details private until they were fully fixed last month.
AVEDriver accelerates video encoding on an iOS device. Donenfeld called it a complicated process, and said it is done at a lower level of the device to speed up that process.
“The problem was in the implementation,” he said. “There were lots of bugs and Apple did not consider any security concepts when it was written. That’s why this was so surprising and concerning. I did not expect something like this to happen in 2017.”
Most of the seven AppleAVE vulnerabilities privately disclosed by Donenfeld were information disclosure bugs that leaked critical memory information, in some instances, allowing an attacker to elevate privileges on the device. An attacker would already have to have code execution on the device, he said.
The seven AppleAVE.kext bugs are:
- CVE-2017-6989: an information disclosure vulnerability enabling an attacker to drop the refcount of any IOSurface object in the kernel
- CVE-2017-6994: an information disclosure flaw that allows an attacker to leak the kernel address of any IOSurface object and elevate privileges.
- CVE-2017-6995: a type confusion flaw that allows an attacker to send a kernel pointer used by the kernel to access a valid IOSurface object
- CVE-2017-6996 and CVE-2017-6997: information disclosure vulnerabilities allowing an attacker to free memory blocks of size 0x28.
- CVE-2017-6998: an information disclosure bug allowing an attacker to use type confusion to hijack kernel code execution
- CVE-2017-6999: an information disclosure flaw where a user-controlled pointer is zeroed.
The IOSurface.kext bug is CVE-2017-6979 where a race condition exists inside the driver that allows for a bypass of security checks during creation of an IOSurface object. This can lead to privilege escalation, Donenfeld said.
“Because I had so many bugs, I didn’t try to make a complete exploit just out of one of them,” Donenfeld explained. “I think that some of them could give you the capability of exploiting the device just using one. It depends of the vulnerability and what it gives you. If that was required, some of them gave you enough to compromise the kernel on their own.”
