ZIVA Exploit Allows Users to Take over iOS Devices

iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware.In Hack in the Box conference, Donenfeld, a security researcher has demonstrated an exploit which can exploit all iOS devices running versions 10.3.1 and below.

Donenfeld works for Zimperium, the same company that discovered the notorious Stagefright vulnerability in the Android OS.

Following Apple’s introduction of self-signed applications, the attack surface for containerized applications on iOS is pretty constant. Apple is doing a good job in improving its security, from narrowing down the attack surface to introducing new mitigations, both from a software and a hardware perspective. As a side effect of these efforts, most of the attack surface that is not accessible by a containerized application is often ignored. – Adam Donenfeld

This exploit, dubbed ZIVA was made by combining 8 previously exposed vulnerabilities of which 7 of them are in in AppleAVEDriver.kext and one in the iOSurface kernel extension.

About Vulnerabilities

Apple AVEDriver

CVE-ID	Component	Impact	Summary
CVE-2017-6979	IOSurface.kext	Elevation of Privileges	A race condition vulnerability inside IOSurface.kext driver; enables an attacker to bypass sanity checks, for the creation of an IOSurface object.
CVE-2017-6989	AppleAVE.kext	Information Disclosure	A vulnerability in the AppleAVE.kext kernel extension; enables an attacker to drop the refcount of any IOSurface object in the kernel.
CVE-2017-6994	AppleAVE.kext	Elevation of Privileges	An information disclosure vulnerability in the AppleAVE.kext kernel extension; enables an attacker to leak the kernel address of any IOSurface object in the system.
CVE-2017-6995	AppleAVE.kext	Information Disclosure/DoS/EoP	A type confusion vulnerability in the AppleAVE.kext kernel extension; enables an attacker to send an arbitrary kernel pointer which will be used by the kernel as a pointer to a valid IOSurface object.
CVE-2017-6996	AppleAVE.kext	Information Disclosure/DoS/EoP	An attacker can free any memory block of size 0x28.
CVE-2017-6997	AppleAVE.kext	Information Disclosure/DoS/EoP	An attacker can free any pointer of size 0x28.
CVE-2017-6998	AppleAVE.kext	Information Disclosure/DoS/EoP	An attacker can hijack kernel code execution due to a type confusion
CVE-2017-6999	AppleAVE.kext	Information Disclosure/DoS/EoP	A user-controlled pointer is zeroed.

IOSurface

CVE-2017-6979

Impact

This iOS exploit is a chain of 8 known vulnerabilities and this could lead to Privilage escalation, DOS, Information Disclosure, as well as access to various sensor data and even take full control over the device. An attacker could exploit this vulnerability by installing a crafted application on the affected system. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges on the system. This may also allows attackers to bypass privacy settings for contacts, look up location search histories, access system file metadata, obtain a user’s name and media library, consume disk storage space (in such a manner that uninstalling the app won’t recover it), block access to system resources, and allow apps to share information with each other without permission.

Exploit Code

The fully functioning iOS exploit code has been released and is now available for download. Follow this link for ZIVA Exploit.

Patch

Apple have already issued a patch for the flaws with version 10.3.2. iOS users who updated their device to the latest iOS version should be protected.

Comments

comments