ZIVA Exploit Allows Users to Take over iOS Devices
iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware.In Hack in the Box conference, Donenfeld, a security researcher has demonstrated an exploit which can exploit all iOS devices running versions 10.3.1 and below.
Donenfeld works for Zimperium, the same company that discovered the notorious Stagefright vulnerability in the Android OS.
Following Apple’s introduction of self-signed applications, the attack surface for containerized applications on iOS is pretty constant. Apple is doing a good job in improving its security, from narrowing down the attack surface to introducing new mitigations, both from a software and a hardware perspective. As a side effect of these efforts, most of the attack surface that is not accessible by a containerized application is often ignored. – Adam Donenfeld
This exploit, dubbed ZIVA was made by combining 8 previously exposed vulnerabilities of which 7 of them are in in AppleAVEDriver.kext and one in the iOSurface kernel extension.
About Vulnerabilities
Apple AVEDriver
| CVE-ID | Component | Impact | Summary |
| CVE-2017-6979 | IOSurface.kext | Elevation of Privileges | A race condition vulnerability inside IOSurface.kext driver; enables an attacker to bypass sanity checks, for the creation of an IOSurface object. |
| CVE-2017-6989 | AppleAVE.kext | Information Disclosure | A vulnerability in the AppleAVE.kext kernel extension; enables an attacker to drop the refcount of any IOSurface object in the kernel. |
| CVE-2017-6994 | AppleAVE.kext | Elevation of Privileges | An information disclosure vulnerability in the AppleAVE.kext kernel extension; enables an attacker to leak the kernel address of any IOSurface object in the system. |
| CVE-2017-6995 | AppleAVE.kext | Information Disclosure/DoS/EoP |
A type confusion vulnerability in the AppleAVE.kext kernel extension; enables an attacker to send an arbitrary kernel pointer which will be used by the kernel as a pointer to a valid IOSurface object. |
| CVE-2017-6996 | AppleAVE.kext | Information Disclosure/DoS/EoP |
An attacker can free any memory block of size 0x28. |
| CVE-2017-6997 | AppleAVE.kext | Information Disclosure/DoS/EoP |
An attacker can free any pointer of size 0x28. |
| CVE-2017-6998 | AppleAVE.kext | Information Disclosure/DoS/EoP |
An attacker can hijack kernel code execution due to a type confusion |
| CVE-2017-6999 | AppleAVE.kext | Information Disclosure/DoS/EoP |
A user-controlled pointer is zeroed. |
IOSurface
CVE-2017-6979
Impact
This iOS exploit is a chain of 8 known vulnerabilities and this could lead to Privilage escalation, DOS, Information Disclosure, as well as access to various sensor data and even take full control over the device. An attacker could exploit this vulnerability by installing a crafted application on the affected system. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges on the system. This may also allows attackers to bypass privacy settings for contacts, look up location search histories, access system file metadata, obtain a user’s name and media library, consume disk storage space (in such a manner that uninstalling the app won’t recover it), block access to system resources, and allow apps to share information with each other without permission.
Exploit Code
The fully functioning iOS exploit code has been released and is now available for download. Follow this link for ZIVA Exploit.
Patch
Apple have already issued a patch for the flaws with version 10.3.2. iOS users who updated their device to the latest iOS version should be protected.
Hi,
I have downloaded the ios exploit from the link. Can anyone help me with the installation?
Can you tell me how to install and exploit?
If you have to ask that question, you probably should not be playing with this exploit
Poc anyone?
I am usually to blogging i actually appreciate your posts. The content has really peaks my interest. I will bookmark your website and keep checking for brand new data.
Good Morning, happy that i found on this in google. Thanks!
Oh dear that’s exactly what i’m looking for. I’ve to say that you’re very clear and effective.