Difference between revisions of "CVE-2021-30883"

From The iPhone Wiki
Jump to: navigation, search
(poc doesn't work on A10 (I think it was never claimed to work, my bad writing the page))
(Update list of fixed versions)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
On {{date|2021|10|11}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 15.0.2] with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 beta 1 to beta 3.
+
On {{date|2021|10|11}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 15.0.2] with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 betas 1, 2 and 3. It was fixed in 14.8.1, 15.0.2, and 15.1b4.
   
 
Note that despite also involving IOMFB, this is a different vulnerability than [[CVE-2021-30807]] which was fixed in 14.7.1.
 
Note that despite also involving IOMFB, this is a different vulnerability than [[CVE-2021-30807]] which was fixed in 14.7.1.
Line 7: Line 7:
 
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.
 
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.
   
Saar's PoC only works on [[A11]]&ndash;[[A13]] devices. Apparently, A14/A15 moved this code to the [[DCP]]<ref>Tweet from Adam Donenfeld (Zimperium): [https://twitter.com/doadam/status/1447647092055347209 This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)]</ref>. A small change to the PoC causes the DCP coprocessor to panic, which then panics the iOS kernel, but this is unlikely to allow exploiting the kernel.
+
Saar's PoC works on [[A10X]], [[A11]], [[A12]], and [[A13]] devices. Apparently, A14/A15 moved this code to the [[DCP]]<ref>Tweet from Adam Donenfeld (Zimperium): [https://twitter.com/doadam/status/1447647092055347209 This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)]</ref>. A small change to the PoC makes it panic the DCP coprocessor, which ''then'' panics the iOS kernel, but this is unlikely to allow exploiting the kernel.
   
 
== References ==
 
== References ==

Latest revision as of 18:27, 26 October 2021

On 11 October 2021, Apple released iOS 15.0.2 with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 betas 1, 2 and 3. It was fixed in 14.8.1, 15.0.2, and 15.1b4.

Note that despite also involving IOMFB, this is a different vulnerability than CVE-2021-30807 which was fixed in 14.7.1.

Saar Amar quickly bindiff'd the kernel and wrote a blog post and PoC about this vulnerability.

Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.

Saar's PoC works on A10X, A11, A12, and A13 devices. Apparently, A14/A15 moved this code to the DCP[1]. A small change to the PoC makes it panic the DCP coprocessor, which then panics the iOS kernel, but this is unlikely to allow exploiting the kernel.

References

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.