io_hideventsystem sets up a shared memory event queue

vendor:

iOS

by:

Exploit Database

9.3

CVSS

HIGH

Mach Message Modification

119

CWE

Product Name: iOS

Affected Version From: iOS 7.1.2

Affected Version To: iOS 11.4.1

Patch Exists: No

Related CWE: None

CPE: None

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: iOS

2018

io_hideventsystem sets up a shared memory event queue

This vulnerability allows an attacker to modify the mach message at the end of the shared memory buffer, which can be used to send an arbitrary mach port from its namespace with an arbitrary disposition. This can be used to gain code execution as backboardd on iOS 11.4.1 and get a real tfp0 on iOS 7.1.2.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the mach message is not modified.

Source

Exploit-DB raw data:

io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts
a mach message which it sends whenever it wants to notify a client that there's data available
in the queue.

As a client we can modify this mach message such that the server (hidd on MacOS, backboardd on iOS)
will send us an arbitrary mach port from its namespace with an arbitrary disposition.

This is a minimal PoC to demonstrate the issue. Interpose it in to the PoC for P0 1623, Apple issue 695930632

Attaching two PoCS:
deja-xnu: exploit for this issue on iOS 11.4.1 to get code execution as backboardd, and then trigger p0  issue 1658 
dq8: exploit for this issue, and a new exploit for the original pangu variant of this issue to get a real tfp0 on iOS 7.1.2


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45650.zip