Introduction
The iOS 11 mptcp bug (CVE-2018-4241) discovered by Ian Beer is a serious kernel vulnerability which involves a buffer overflow in mptcp_usr_connectx
that allows attackers to execute arbitrary code in a privileged context.
Ian Beer attached an interesting piece of PoC code which demonstrated a rather elegant technique to obtain the kernel task port with this vulnerability. Extending on his brief writeup that comes with the PoC, this blog post will mainly aim at walking through the PoC in great details as well as covering its background. If you are an iOS security researcher who hasn’t looked into the PoC source code yet, hopefully you will find the materials handy when you decide to do so.
Please have a copy of mptcp PoC code before we dive in! You can download it from here: Download
Note: All credits for exploitation techniques, vulnerability PoC code and original writeup belong to Ian Beer at Google Project Zero.
The Vulnerability
Let’s first take a quick look at the offending code in mptcp_usr_connect()
, which is the handler for the connectx
syscall for the AP_MULTIPATH
socket family:
1 |