Exploiting iOS 11.0-11.3.1 Multi-path-TCP:A walk through

Introduction

The iOS 11 mptcp bug (CVE-2018-4241) discovered by Ian Beer is a serious kernel vulnerability which involves a buffer overflow in mptcp_usr_connectx that allows attackers to execute arbitrary code in a privileged context.

Ian Beer attached an interesting piece of PoC code which demonstrated a rather elegant technique to obtain the kernel task port with this vulnerability. Extending on his brief writeup that comes with the PoC, this blog post will mainly aim at walking through the PoC in great details as well as covering its background. If you are an iOS security researcher who hasn’t looked into the PoC source code yet, hopefully you will find the materials handy when you decide to do so.

Please have a copy of mptcp PoC code before we dive in! You can download it from here: Download

Note: All credits for exploitation techniques, vulnerability PoC code and original writeup belong to Ian Beer at Google Project Zero.

The Vulnerability

Let’s first take a quick look at the offending code in mptcp_usr_connect(), which is the handler for the connectx syscall for the AP_MULTIPATH socket family:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Keen Security Lab Blog

Read the original article: