The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "CVE-2021-30883"
(Add info about A14/DCP) |
(Update list of fixed versions) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | On {{date|2021|10|11}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 15.0.2] with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. |
+ | On {{date|2021|10|11}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 15.0.2] with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 betas 1, 2 and 3. It was fixed in 14.8.1, 15.0.2, and 15.1b4. |
+ | |||
+ | Note that despite also involving IOMFB, this is a different vulnerability than [[CVE-2021-30807]] which was fixed in 14.7.1. |
||
Saar Amar quickly bindiff'd the kernel and [https://saaramar.github.io/IOMFB_integer_overflow_poc/ wrote a blog post and PoC] about this vulnerability. |
Saar Amar quickly bindiff'd the kernel and [https://saaramar.github.io/IOMFB_integer_overflow_poc/ wrote a blog post and PoC] about this vulnerability. |
||
Line 5: | Line 7: | ||
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement. |
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement. |
||
− | Saar's PoC |
+ | Saar's PoC works on [[A10X]], [[A11]], [[A12]], and [[A13]] devices. Apparently, A14/A15 moved this code to the [[DCP]]<ref>Tweet from Adam Donenfeld (Zimperium): [https://twitter.com/doadam/status/1447647092055347209 This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)]</ref>. A small change to the PoC makes it panic the DCP coprocessor, which ''then'' panics the iOS kernel, but this is unlikely to allow exploiting the kernel. |
− | |||
− | (TODO: what about iOS14 on A14?) |
||
== References == |
== References == |
Latest revision as of 18:27, 26 October 2021
On 11 October 2021, Apple released iOS 15.0.2 with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 betas 1, 2 and 3. It was fixed in 14.8.1, 15.0.2, and 15.1b4.
Note that despite also involving IOMFB, this is a different vulnerability than CVE-2021-30807 which was fixed in 14.7.1.
Saar Amar quickly bindiff'd the kernel and wrote a blog post and PoC about this vulnerability.
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.
Saar's PoC works on A10X, A11, A12, and A13 devices. Apparently, A14/A15 moved this code to the DCP[1]. A small change to the PoC makes it panic the DCP coprocessor, which then panics the iOS kernel, but this is unlikely to allow exploiting the kernel.
References
- ^ Tweet from Adam Donenfeld (Zimperium): This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)
This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |