Muirey03 / CVE-2022-32832

Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2022-32832

Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6

CVE-2022-32832 is a vulnerability in the AppleAPFSUserClient::methodDeltaCreateFinalize external method (selector 49). Here is the decompilation pre-patch:

__int64 __cdecl AppleAPFSUserClient::methodDeltaCreateFinalize(AppleAPFSUserClient *this, void *a2, IOExternalMethodArguments *args)
{
	void *ctx;
	__int64 result;

	ctx = this->deltaCreateCtx;
	if ( !ctx )
		return 0xE00002D8LL;
	AppleAPFSContainer::deltaCreateTeardown(ctx);
	result = 0LL;
	this->deltaCreateCtx = 0LL;
	return result;
}

AppleAPFSUserClient::externalMethod does not use any synchronisation techniques to serialise external method calls. This means that it is possible for an attacker to double-free the delta_create_ctx_t, and related properties, by racing two calls to AppleAPFSUserClient::methodDeltaCreateFinalize on the same userclient, as both will be able to call into AppleAPFSContainer::deltaCreateTeardown (the method responsible for freeing the delta_create_ctx_t) before this->deltaCreateCtx is set to NULL.

In order to trigger this, an attacker first needs to create a "delta create context" on the userclient by using the external method AppleAPFSUserClient::methodDeltaCreatePrepare (selector 36). This requires an unmounted volume to function, so a normal exploit flow requires the attacker to also create a target volume using the external method AppleAPFSUserClient::methodVolumeCreate, which requires superuser privileges. It is for this reason that Apple described the impact of the vulnerability as:

An app with root privileges may be able to execute arbitrary code with kernel privileges

This repository includes a proof-of-concept exploit for this issue that causes a kernel panic on vulnerable macOS versions by underflowing a kernel object's reference count. This exploit must be executed as root for the reasons mentioned above.

CVE-2022-32832 was patched by adding IOLockLock and IOLockUnlock calls to AppleAPFSUserClient::methodDeltaCreateFinalize to protect the vulnerable code.

About

Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6

License:MIT License


Languages

Language:C 94.6%Language:Makefile 5.4%