ZIVA Exploit Allows Users to Take over iOS Devices

Share this now

iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware.In Hack in the Box conference, Donenfeld, a security researcher has demonstrated an exploit which can exploit all iOS devices running versions 10.3.1 and below.

Donenfeld works for Zimperium, the same company that discovered the notorious Stagefright vulnerability in the Android OS.

Following Appleā€™s introduction of self-signed applications, the attack surface for containerized applications on iOS is pretty constant. Apple is doing a good job in improving its security, from narrowing down the attack surface to introducing new mitigations, both from a software and a hardware perspective. As a side effect of these efforts, most of the attack surface that is not accessible by a containerized application is often ignored. – Adam Donenfeld

This exploit, dubbed ZIVA was made by combining 8 previously exposed vulnerabilities of which 7 of them are in in AppleAVEDriver.kext and one in the iOSurface kernel extension.

About Vulnerabilities

Apple AVEDriver

CVE-ID Component Impact Summary
CVE-2017-6979 IOSurface.kext Elevation of Privileges A race condition
vulnerability inside IOSurface.kext driver; enables an attacker
to bypass sanity checks, for the creation of an IOSurface object.
CVE-2017-6989 AppleAVE.kext Information Disclosure A vulnerability in the
AppleAVE.kext kernel extension; enables an attacker to drop the
refcount of any IOSurface object in the kernel.
CVE-2017-6994 AppleAVE.kext Elevation of Privileges An information disclosure
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to leak the kernel address of any IOSurface object in the
system.
CVE-2017-6995 AppleAVE.kext Information
Disclosure/DoS/EoP
A type confusion
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to send an arbitrary kernel pointer which will be used by
the kernel as a pointer to a valid IOSurface object.
CVE-2017-6996 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can free any
memory block of size 0x28.
CVE-2017-6997 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can free any
pointer of size 0x28.
CVE-2017-6998 AppleAVE.kext Information
Disclosure/DoS/EoP
An attacker can hijack
kernel code execution due to a type confusion
CVE-2017-6999 AppleAVE.kext Information
Disclosure/DoS/EoP
A user-controlled pointer is
zeroed.

IOSurface

CVE-2017-6979

Impact

This iOS exploit is a chain of 8 known vulnerabilities and this could lead to Privilage escalation, DOS, Information Disclosure, as well as access to various sensor data and even take full control over the device. An attacker could exploit this vulnerability by installing a crafted application on the affected system. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges on the system. This may also allows attackers to bypass privacy settings for contacts, look up location search histories, access system file metadata, obtain a user’s name and media library, consume disk storage space (in such a manner that uninstalling the app won’t recover it), block access to system resources, and allow apps to share information with each other without permission.

Exploit Code

The fully functioning iOS exploit code has been released and is now available for download. Follow this link for ZIVA Exploit.

Patch

Apple have already issued a patch for the flaws with version 10.3.2. iOS users who updated their device to the latest iOS version should be protected.

Share this now

6 comments

  1. Hi,
    I have downloaded the ios exploit from the link. Can anyone help me with the installation?
    Can you tell me how to install and exploit?

Leave a Reply

Your email address will not be published. Required fields are marked *