This is part II of the analysis of the Content-Filter Kernel Use-After-Free vulnerability that was patched on iOS 12.3. Although DoubleNull is a potent vulnerability, this vulnerability was silently patched and no CVE was assigned. Until an official CVE is assigned, let’s name this vulnerability “DoubleNull”.
We have observed continuous triggers of DoubleNull in the wild. We suspect that DoubleNull was actively exploited in the wild against targeted MDM/EMM users. The extraordinary thing about DoubleNull is that due to the nature of this vulnerability and its exploitation which requires to send UDP network packets, it presents an extremely rare DFIR opportunity to detect exploitation of Local Privilege Escalation in network traffic (PCAPs)!
The first blog post of DoubleNull describes the issue and explanation of the vulnerability as well as how to trigger it. Part I was published in May 2019 and available here: https://blog.zecops.com/vulnerabilities/analysis-and-poc-of-content-filter-kernel-use-after-free/
Since this vulnerability requires special entitlements/permissions to execute, this bug is near perfect for elevation of privileges in MDM/EMM environments and could have stayed silent for a long period of time. Apple has patched this bug in iOS 12.3.
Besides strange UDP traffic, other notable symptoms of exploitation of DoubleNull includes random reboots.
Free iOS / MacOS DFIR Tool To Inspect Exploitation Of DoubleNull
It is a rare opportunity for iOS/MacOS DFIR to be able to examine LPEs in UDP Packets meta-data, thus ZecOps decided to leverage this opportunity and release an iOS and MacOS DFIR Tool to investigate historical network dumps to identify which devices were compromised by the threat actor(s) that leveraged DoubleNull.
We are pleased to share a tool that is designed to inspect PCAPs for Content Filter hash_entry collisions that would trigger this vulnerability. The tool is available for download here: https://github.com/ZecOps/public/tree/master/cfil_hash_collision
Due to Content Filter Garbage Collection (GC) mechanism that is triggered every ten seconds, we are only interested in collisions that happened in less than 20 seconds. The lower the number (especially if it’s below 10 seconds), the higher the chances of an exploit. Collisions that happened after more than 20 seconds are meaningless.
You may use the tool for educational purposes and in corporate environments but not in commercial products unless ZecOps provide written consent.
Contact us ([email protected]) in case you observed hash_entry collisions on traffic from MacOS/iOS devices or if you observe any additional suspicious behavior such as random reboots.
- Update to the latest iOS version: this will render the privilege escalation part of the exploit chain unusable, and hence disinfect affected devices that were attacked by the threat actor(s) that leveraged this vulnerability. In addition, this update should rectify frequent random reboots on the affected devices.
- Run the PCAP tool to check historical data for devices that were exposed to this vulnerability: https://github.com/ZecOps/public/tree/master/cfil_hash_collision. Smaller delta between the first packet and the cfil_hash collision increases the chance that it was an attack. Collisions that happened after more than 20 seconds are meaningless.
Partners, Resellers, Distributors and Innovative Security Teams:
We’re still in stealth mode, but… we are already working with leading organizations globally. If you wish to learn more about what we do and what fresh vibes we bring to defensive cyber security, contact us here.