Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.

Multicast bytecopy

From The Apple Wiki

multicast_bytecopy is an exploit for CVE-2021-30937, a use-after-free in the socket subsystem of XNU patched in iOS 15.2. The vulnerability was discovered by Sergei Glazunov of Google Project Zero and the exploit was written by John Aakerblom.

By triggering the use-after-free and spraying effectively, the attacker obtains a single byte copy primitive. This means that they can copy one byte at a specific kernel address to another.

The ipc_kmsg structure is targeted for an arbitrary free primitive to be able to free a chosen kernel buffer. If the message bits contain MACH_MSGH_BITS_COMPLEX (0x80000000), then the 'descriptors' at the beginning of the message buffer will be treated as kernel addresses and freed when the message object is destroyed.

The exploit uses the byte copy primitive to copy a 0x80 byte from the controlled size of an ipc_kmsg object to the upper message bits in the same kmsg's header. However, since the kmsg's buffer is controlled, the exploit places the address of an IOSurfaceClient array in the buffer, causing a free of this buffer and allowing it to be reallocated.

The exploit then refills the buffer containing the IOSurfaceClient array with IOGPUCommandQueue objects, which if done successfully, allows the attacker to modify what the kernel believes is also the IOSurfaceClient array. It modifies certain fields of the IOSurfaceClient objects to allow for kernel read/write, because certain selectors for an IOSurface object will read from and write to kernel pointers inside the object.

References: