The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "CVE-2021-30883"

From The iPhone Wiki
Jump to: navigation, search
(poc doesn't work on A10 (I think it was never claimed to work, my bad writing the page))
(PoC works on A10X. Also reword DCP stuff a bit.)
Line 7: Line 7:
 
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.
  
Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.
   
Saar's PoC only works on [[A11]]&ndash;[[A13]] devices. Apparently, A14/A15 moved this code to the [[DCP]]<ref>Tweet from Adam Donenfeld (Zimperium): [https://twitter.com/doadam/status/1447647092055347209 This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)]</ref>. A small change to the PoC causes the DCP coprocessor to panic, which then panics the iOS kernel, but this is unlikely to allow exploiting the kernel.
 +
Saar's PoC works on [[A10X]], [[A11]], [[A12]], and [[A13]] devices. Apparently, A14/A15 moved this code to the [[DCP]]<ref>Tweet from Adam Donenfeld (Zimperium): [https://twitter.com/doadam/status/1447647092055347209 This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)]</ref>. A small change to the PoC makes it panic the DCP coprocessor, which ''then'' panics the iOS kernel, but this is unlikely to allow exploiting the kernel.
   
 
== References ==
  
== References ==

Revision as of 16:18, 13 October 2021

On 11 October 2021, Apple released iOS 15.0.2 with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 beta 1 to beta 3.

Note that despite also involving IOMFB, this is a different vulnerability than CVE-2021-30807 which was fixed in 14.7.1.

Saar Amar quickly bindiff'd the kernel and wrote a blog post and PoC about this vulnerability.

Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.

Saar's PoC works on A10X, A11, A12, and A13 devices. Apparently, A14/A15 moved this code to the DCP[1]. A small change to the PoC makes it panic the DCP coprocessor, which then panics the iOS kernel, but this is unlikely to allow exploiting the kernel.

References

  1. ^ Tweet from Adam Donenfeld (Zimperium): This has been moved to the display coprocessor (DCP) starting from 15, at least on iPhone 12 (and most probably other ones as well)
Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.
Retrieved from "https://www.theiphonewiki.com/w/index.php?title=CVE-2021-30883&oldid=118605"