The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "CVE-2021-30807"
(Add Justin's writeup/exploit) |
m (Stop using wayback machine for the tweet link) |
||
Line 1: | Line 1: | ||
On {{date|2021|07|26}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 14.7.1] with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as [[CVE-2021-30883]] which was fixed in 15.0.2. |
On {{date|2021|07|26}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 14.7.1] with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as [[CVE-2021-30883]] which was fixed in 15.0.2. |
||
− | binaryboy [ |
+ | binaryboy [https://twitter.com/b1n4r1b01/status/1419734027565617165 published a quick crash PoC] on Twitter. |
Saar Amar later [https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/ wrote a blog post and PoC] for this vulnerability (like binaryboy's, this PoC just panics the kernel). He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it. |
Saar Amar later [https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/ wrote a blog post and PoC] for this vulnerability (like binaryboy's, this PoC just panics the kernel). He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it. |
Latest revision as of 00:10, 29 November 2021
On 26 July 2021, Apple released iOS 14.7.1 with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as CVE-2021-30883 which was fixed in 15.0.2.
binaryboy published a quick crash PoC on Twitter.
Saar Amar later wrote a blog post and PoC for this vulnerability (like binaryboy's, this PoC just panics the kernel). He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it.
On 28 November 2021, Justin Sherman released a more comprehensive writeup and exploit which actually achieves kernel read/write primitives.
Calling the vulnerable method requires the com.apple.private.allow-explicit-graphics-priority
entitlement, so it's not reachable from the normal app sandbox, but it is reachable from the WebContent process, so it could be chained with a WebKit exploit.
This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |