Trigon
More actions
| Vulnerability in XNU | |
|---|---|
| Software | iOS |
| Vulnerable in | ? - 15.7.6, 16.5 |
| Fixed in | 15.7.7, 16.5.1 |
| Disclosed | 28 December 2023 |
| Discovered by | Kaspersky |
| CVE | CVE-2023-32434 |
| Apple KB | 103837 |
Trigon is a kernel exploit based on CVE-2023-32434, which is the same CVE as kfd (smith), but Trigon exploits a different vulnerability. Trigon is deterministic, meaning it will never fail and never panic the kernel.
The bug is an integer overflow in the mach_make_memory_entry(_64) function in XNU, which is a Mach trap callable from userspace. Mach memory entries allow you to, essentially, reserve a region of memory without mapping it all, such that it can be mapped later or shared with another process and mapped there. Since the beginning of XNU, the only check on the size of the memory was (offset + *size + parent_entry->data_offset) < parent_entry->size, where the parent entry can be a grand entry to create a subentry from.
This check is vulnerable to an integer overflow, so you can create a memory entry with a size of 0xFFFFFFFFFFFFC000, an offset of 0x8000 and then you simply need a parent entry with a size less than the overflowed value and an offset of zero.
With a normal memory entry used as the parent entry, this vulnerability cannot be exploited for kernel read/write, because a special type of parent entry is required. This is an entry that has the internal flag set to false (meaning it is not associated internally with the kernel). The trick was to create an IOSurface under the 'PurpleGfxMem' memory region, then create a memory entry from that and use that as the parent entry. You can then immediately begin to access all physical memory with your overflown memory entry.
Due to several limitations, with one namely being that you cannot map page tables, it is infeasible to traverse back through memory to find the kernel base. If you accidentally read a page table, you will panic. Trigon makes use of MMIO which it can map with its arbitrary physical address mapping primitive. IORVBAR will hold a physical address within the kernelcache that a CPU will jump to after reset. This allows us to quickly find the kernel base by just searching backwards from the address in IORVBAR.
With the kernel base found, the exploit will then patchfind the kernel's root page table and the pv_head_table, which is an array of values that provide information about each page, and can be used to determine whether or not a page is a page table or safe to read from. With this, the exploit sprays a large number of IOSurface objects, and checks each non-page table page in DRAM to find an IOSurface belonging to the process. When it finds one, it maps that page into the process and the process can now control several pointers within the IOSurface object. By controlling this pointers, the exploit can now read from and write to arbitrary kernel addresses by modifying pointers that are used by IOSurface client methods exported to userspace.
Trigon currently supports A10(X) devices on iOS 13 - 15.7.6. Future releases will add support for A7, A8(X), A9(X) and A11 devices, as well as iOS 16 support.
