MacOS/iOS kernel memory corruption due to Bad bounds checking in SIOCSIFORDER socket ioctl

vendor:

iOS

by:

ianbeer

7,8

CVSS

HIGH

Out-of-bounds Read

125

CWE

Product Name: iOS

Affected Version From: iOS 10

Affected Version To: iOS 10

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: MacOS

2016

MacOS/iOS kernel memory corruption due to Bad bounds checking in SIOCSIFORDER socket ioctl

SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. By providing a value with the most-significant bit set making it negative when cast to a signed type, we can pass the bounds check at (b) and lead to reading an interface pointer out-of-bounds below the ifindex2ifnet array. This leads very directly to memory corruption at (d) which will add the value read out of bounds to a list structure.

Mitigation:

Ensure that bounds checking is performed correctly when using the SIOCSIFORDER ioctl.

Source

MacOS/iOS kernel memory corruption due to Bad bounds checking in SIOCSIFORDER socket ioctl

Mitigation:

Exploit-DB raw data: