Analysis and Reproduction of iOS/OSX Vulnerability: CVE-2019-7286

SHARE THIS ARTICLE

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn

iOS 12.1.4 is the latest version of iOS that was released on February 8th 2019. This version patched four disclosed vulnerabilities on iOS. According to the tweet by Ben Hawkes from Project Zero, at least two of them were exploited in the wild as zero days. Here at ZecOps Research Team we were keen to analyze and reveal more details about these patched vulnerabilities.

If you are interested in doing similar research as part of our Reverse Bounty program – you may sign up here.

If you believe that you have been targeted – please contact ZecOps APT Incident Response Team here.

TL;DR:

  • CVE-2019-7286 was exploited in the wild
  • The vulnerability seems to be of critical severity and could have been used potentially also to maintain persistence after reboots
  • ZecOps were able to reproduce this vulnerability (POC code below)
  • The vulnerability could be used to escalate privileges to root as part of a chain for jailbreak on iOS 12.1.3.

Analyzing CVE-2019-7286

According to Apple’s description:

Foundation
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero

Except for the fact that the vulnerability was patched in Apple’s Foundation framework, the description doesn’t provide us with a lot of details regarding the nature of the vulnerability.

After analyzing the patch in Foundation framework, the binary diffing revealed no significant change in the binaries of iOS 12.1.4 compared to iOS 12.1.3.  The next immediate suspect was CoreFoundation which showed a number of binary differences in Diaphora tool, as shown below:

By comparing the patches, we found a few minor changes in the implementation of CFPrefs Daemon (cfprefsd).

The man page for this daemon isn’t too descriptive:

cfprefsd provides preferences services for the CFPreferences and
NSUserDefaults APIs.
There are no configuration options to cfprefsd manually.

The CFPreferences option is used by almost every software on iOS/ OS X when it launches, thus a vulnerability in this daemon might also be useful to maintain persistency. Surprisingly, there is no public information about this CVE yet, as one would expect from a vulnerability that was actively exploited in the wild.

Patch Analysis

The same bug was also present on OS X, which aided ZecOps investigation and  analysis. At the time of the patch, a several minor changes were introduced into cfprefsd, but it appears that the most important modification was made  in the following function: 

[CFPrefsDaemon handleMultiMessage:replyHandler:]

Below is a snippet of ZecOps attempt to reconstruct the original Obj-C code along with the patch (in bold):

 

 

Vulnerability Details

handleMultiMessage:replyHandler: has a reference counting issue using “CFPreferencesMessages” array which is part of the xpc request.

The function reads the array’s objects into a memory buffer one by one using xpc_array_get_value, which does not affect reference counting. The last part of the function which releases all of the elements in the buffer assumes an ownership on the xpc objects. This is generally true since the callback block calls xpc_retain and replaces the original objects in the xpc_buffer. However, if the callback is not called as a result of a crafted message (The message body contains the handler index for the message. Not all handlers call the callback), a double free of the element will occur.

An XPC with following keys and values will trigger the vulnerability:

Apple’s patch replaced the original XPC object with xpc_null if the callback didn’t update the xpc_buffer[count]. As a result, there’s no double free condition when xpc_null has no memory to release.

Vulnerability Reproduction

We were able to reproduce CVE-2019-7286 using the POC code snippet below:

Running the above program on iOS 12.0.1 resulted in cfprefsd crash:

 

 

 

Recommendations

  • Update to the latest OS X and iOS versions.
  • Reboot your iPhone/iPads occasionally (e.g. once a day) to disinfect from non-persistent attackers
  • Contact ZecOps in case you think that you or your company are being targeted by APT groups here.

If you enjoy doing similar analysis/research, we are accepting more researchers and analysts to our Reverse Bounty program.

77a10d1b745bc3e943a5ee45544c762021892a30

SHARE THIS ARTICLE

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn