Difference between revisions of "CVE-2021-30883"

From The iPhone Wiki
Jump to: navigation, search
(Apparently iOS 14 on A14 doesn't work either (panics DCP))
(bug also present in 15.1b1–15.1b3)
Line 1: Line 1:
On {{date|2021|10|11}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 15.0.2] with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as [[CVE-2021-30807]] which was fixed in 14.7.1.
+
On {{date|2021|10|11}}, [https://support.apple.com/en-us/HT212623 Apple released iOS 15.0.2] with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 beta 1 to beta 3.
  +
  +
Note that despite also involving IOMFB, this is a different vulnerability than [[CVE-2021-30807]] which was fixed in 14.7.1.
   
 
Saar Amar quickly bindiff'd the kernel and [https://saaramar.github.io/IOMFB_integer_overflow_poc/ wrote a blog post and PoC] about this vulnerability.
 
Saar Amar quickly bindiff'd the kernel and [https://saaramar.github.io/IOMFB_integer_overflow_poc/ wrote a blog post and PoC] about this vulnerability.

Revision as of 00:00, 12 October 2021

On 11 October 2021, Apple released iOS 15.0.2 with a fix for CVE-2021-30883, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. The bug is also present in iOS 15.1 beta 1 to beta 3.

Note that despite also involving IOMFB, this is a different vulnerability than CVE-2021-30807 which was fixed in 14.7.1.

Saar Amar quickly bindiff'd the kernel and wrote a blog post and PoC about this vulnerability.

Unlike CVE-2021-30807, this vulnerability is apparently exploitable from the app sandbox without any special entitlement.

Saar's PoC only works on A10A13 devices. Apparently, A14/A15 moved this code to the DCP[1]. A small change to the PoC causes the DCP coprocessor to panic, which then panics the iOS kernel, but this is unlikely to allow exploiting the kernel.

References

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.