An obscure Apple kernel extension patched in July in iOS 10.3.3 was originally built without security measures in place, according to the researcher who privately disclosed the flaws.
Today at the Hack in the Box security conference in Singapore, Zimperium zLabs’ Adam Donenfeld was scheduled to disclose details on seven flaws he found in the AppleAVEDriver.kext, a video encoder kernel extension, as well as another critical issue in the IOSurface.kext.
Donenfeld said he was able to chain together several of the vulnerabilities in order to locally elevate privileges and control an iOS device. There wasn’t much of an impediment from the AVE kernel extension.
“It feels like they assumed that there are no attackers out there; it was like they didn’t think someone would abuse it. There were no security measures at all,” Donenfeld said. “It was as if they didn’t consider the kernel different from userland.”
Donenfeld said that, for example, there were kernel pointers inside userland.
“The user is not supposed to have access to that information,” he said. “[Apple] completely ignored that fact.”
The bugs were believed fixed initially in May in iOS 10.3.2, but Apple asked Donenfeld to keep the details private until they were fully fixed last month.
AVEDriver accelerates video encoding on an iOS device. Donenfeld called it a complicated process, and said it is done at a lower level of the device to speed up that process.
“The problem was in the implementation,” he said. “There were lots of bugs and Apple did not consider any security concepts when it was written. That’s why this was so surprising and concerning. I did not expect something like this to happen in 2017.”
Most of the seven AppleAVE vulnerabilities privately disclosed by Donenfeld were information disclosure bugs that leaked critical memory information, in some instances, allowing an attacker to elevate privileges on the device. An attacker would already have to have code execution on the device, he said.
The seven AppleAVE.kext bugs are:
The IOSurface.kext bug is CVE-2017-6979 where a race condition exists inside the driver that allows for a bypass of security checks during creation of an IOSurface object. This can lead to privilege escalation, Donenfeld said.
“Because I had so many bugs, I didn’t try to make a complete exploit just out of one of them,” Donenfeld explained. “I think that some of them could give you the capability of exploiting the device just using one. It depends of the vulnerability and what it gives you. If that was required, some of them gave you enough to compromise the kernel on their own.”