Zimperium zLabs iOS Security Advisories

Share and earn Cybytes
Facebook Twitter LinkedIn Email

As part of zLab’s platform research team, I’ve tried to investigate an area of the kernel that wasn’t thoroughly researched before.  After digging into some of Apple’s closed-source kernel modules, one code chunk led to another and I’ve noticed a little-known module, which I’ve never seen before, called AppleAVE.

AppleAVE was written neglecting basic security fundamentals, to the extent that the vulnerabilities described below were sufficient to pwn the kernel and gain arbitrary RW and root. Needless to say, due to the defragmentation of Apple’s codebase for iOS, every iOS device running 10.3.1 or lower is currently vulnerable.

I’ve responsibly disclosed the vulnerabilities and Apple issued a security patch.

Apple’s recent security patch that was shipped along with iOS 10.3.2, addresses 8 vulnerabilities I discovered: one vulnerability in the IOSurface kernel extension the other 7 in AppleAVEDriver.kext.

These vulnerabilities would allow elevation of privileges which ultimately can be used by the attacker to take complete control over affected devices.

The following table summarizes of the vulnerabilities, as sent to Apple:

CVE-ID Component Impact Summary
CVE-2017-6979 IOSurface.kext Elevation of Privileges A race condition
vulnerability inside IOSurface.kext driver; enables an attacker
to bypass sanity checks, for the creation of an IOSurface object.
CVE-2017-6989 AppleAVE.kext Information Disclosure A vulnerability in the
AppleAVE.kext kernel extension; enables an attacker to drop the
refcount of any IOSurface object in the kernel.
CVE-2017-6994 AppleAVE.kext Elevation of Privileges An information disclosure
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to leak the kernel address of any IOSurface object in the
CVE-2017-6995 AppleAVE.kext Information
A type confusion
vulnerability in the AppleAVE.kext kernel extension; enables an
attacker to send an arbitrary kernel pointer which will be used by
the kernel as a pointer to a valid IOSurface object.
CVE-2017-6996 AppleAVE.kext Information
An attacker can free any
memory block of size 0x28.
CVE-2017-6997 AppleAVE.kext Information
An attacker can free any
pointer of size 0x28.
CVE-2017-6998 AppleAVE.kext Information
An attacker can hijack
kernel code execution due to a type confusion
CVE-2017-6999 AppleAVE.kext Information
A user-controlled pointer is

Additional technical information, including a PoC, will be released soon to Zimperium Handset Alliance and afterward to the public. The public release is currently delayed upon Apple’s request.

I would like to thank Apple for their incredible, responsible and fast security team, for addressing those vulnerabilities quickly and efficiently.

Zimperium offers protection against known and unknown threats targeting Apple iOS and Google Android devices. Zimperium’s patented machine-learning technology, z9, has detected every discovered exploit over the last five years without requiring updates. z9 protects users in real-time with on-device detection that does not suffer from the delays and limitations of cloud-only detection approaches.  

Zimperium’s renowned zLabs performs extensive research on mobile and IoT operating systems to stay ahead of the evolving cybersecurity landscape. zLabs has identified and disclosed numerous vulnerabilities, and is the creator of the Zimperium Handset Alliance and the mobile N-Days Exploit Acquisition Program

The post Zimperium zLabs iOS Security Advisories appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?