CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers

Posted by Ian Beer, Project Zero (2021-02-04)

Disclosure or Patch Date: 5 November 2020

Product: Apple iOS

Advisory: https://support.apple.com/en-us/HT211929 

Affected Versions: iOS 14.1 and previous

First Patched Version: iOS 14.2

Issue/Bug Report: https://bugs.chromium.org/p/project-zero/issues/detail?id=2108 

Patch CL: N/A

Bug-Introducing CL: N/A

Proof-of-Concept: https://bugs.chromium.org/p/project-zero/issues/detail?id=2108 
Exploit Sample:
N/A

Access to the exploit sample? Yes

Reporter(s): Ian Beer of Google Project Zero

Bug Class: Information Leak

Vulnerability Details: A kernel memory disclosure vulnerability due to an incorrect size calculation when receiving mach messages and requesting an invalid combination of trailer elements. The vulnerability gives the attacker the ability to leak stale data from various kalloc size classes.

Is the exploit method known? Yes
Exploit method: Groom the target kalloc size class to contain the pointer you wish to disclose at the right offset; in this case using out-of-line port descriptors to fill arbitrary sized kalloc allocations with pointers to ports. Free those allocations and reallocate them as mach messages then trigger the vulnerability when receiving those messages to read 4 bytes of the target pointer. Adjust the size of the message to leak the other 4 bytes.

How do you think you would have found this bug? This vulnerability probably could have been found by fuzzing if the fuzzer was set up to discover uninitialized memory (the underlying allocation isn't free; just those four bytes never get written to before they're read.) The bug could also have been found through manual analysis.

(Historical/present/future) context of bug:

This vulnerability was used as a part of an iOS exploit chain. It was used after the Safari RCE (CVE-2020-27930) and before the kernel privilege escalation (CVE-2020-27932).

Areas/approach for variant analysis: Auditing other complex structures which get copied out to userspace but aren't zero-initialized.

Structural improvements: The underlying feature where this vulnerability was found has long since been removed from XNU; the code should have been properly removed. Ensuring allocations which will be filled in and copied to userspace are zeroed out when allocated would be a good defense-in-depth measure which would have mitigated this issue.

Potential detection methods for similar 0-days: N/A

Other references:

No comments:

Post a Comment