The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IOUSBDeviceFamily Vulnerability"
(reference CVE-2013-0981) |
m (→References: mention ATV link too) |
||
Line 19: | Line 19: | ||
* [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html Analysis by kernelpool] |
* [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html Analysis by kernelpool] |
||
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes] |
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes] |
||
+ | * [http://support.apple.com/kb/HT5702 Apple's iOS 5.2.1 (Apple TV) security fixes] |
||
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0981 NIST Reference CVE-2013-0981] |
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0981 NIST Reference CVE-2013-0981] |
||
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 Mitre Reference CVE-2013-0981] |
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 Mitre Reference CVE-2013-0981] |
Revision as of 23:10, 6 April 2013
This is CVE-2013-0981.
This kernel vulnerability comes from the com.apple.iokit.IOUSBDeviceInterface
driver. There are several methods that accept a pipe object pointer from user space, but do not validate the pointer except for testing if it is non-null. An application that can communicate with USB devices (holding com.apple.security.device.usb
entitlement) can call IOUSBDeviceInterface functions directly and give them a malformed pipe object which can result in arbitrary code execution if the memory referenced by the given pip object pointer can be controlled from user space. evasi0n uses function 15 (stallPipe) for exploitation.
TODO: Describe evasi0n exploitation in detail here.
Apple's description in the iOS 6.1.3 security fixes:
USB
Impact: A local user may be able to execute arbitrary code in the kernel
Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers.