Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/24/2017
11:30 PM
50%
50%

Apple iOS Exploit Takes Complete Control of Kernel

Researcher demonstrates 'severe' ZIVA exploit at Hack in the Box.

Multiple vulnerabilities in the AppleAVEDriver when linked together create an opportunity to launch an iOS exploit that can take full control of the iOS kernel, security researcher Adam Donenfeld of Zimperium's zLabs revealed today.

Donenfeld, who today demonstrated the exploit at the Hack In the Box conference in Singapore, says all iOS devices running versions 10.3.1 released in April as well as earlier versions are currently vulnerable to the attack. 

Apple patched eight vulnerabilities Donenfeld previously discovered – seven in AppleAVEDriver.kext and one in the iOSurface kernel extension – in its iOS version 10.3.2 in May.

It all began in January when Donefeld was researching the favored path attackers take in hitting Apple's iOS, which entails focusing on the direct containerized app-to-kernel vulnerabilities.

"The attack surface in between [the containerized app and kernel] is often underlooked and has more vulnerabilities, which are, usually, much, much easier to exploit. So, in most cases, even though an attacker has to go through more lines of code, finding and exploiting those bugs is usually an easier job," Donefeld says.

In his app-to-kernel vulnerabilities search, Donefeld did find a bug on Jan. 24, which in turn raised questions in his mind about other iOS attack surfaces. That curiosity led him to dive deeper into Apple's closed-source kernel modules, where he found one he was not familiar with called Apple AVEDriver. That module lacked basic security fundamentals and contained seven vulnerabilities that would allow attackers to elevate privileges by overtaking the kernel and gaining arbitrary read-write and root control.

Building an iOS Kernel Exploit

Donefeld created the fully chained iOS kernel exploit - which he dubbed ZIVA - by linking together the seven vulnerabilities he found in the AppleAVEDriver module, he says.

Some of these AppleAVE vulnerabilities could allow information disclosures, denial of service (DoS), and elevation of privilege (EoP), Donefeld says.

"The issues are severe and could allow the attacker to take complete control of any iOS device on the market prior to version 10.3.2., as well as access information including GPS data, photos, and contact information, or conduct denial-of-service (DoS) attacks," Donefeld says.

He notes that because Apple issued a patch for the flaws with version 10.3.2, iOS users who updated their device to the latest iOS version should be protected. Others, he adds, should invest in a third-party security solution.

"This provides a complete control over the kernel," he says of the exploit.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
meisterwilliams
50%
50%
meisterwilliams,
User Rank: Apprentice
8/25/2017 | 2:46:17 PM
Thank you.
Thank you for the Update.

 
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2002-0390
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.