Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.3
CVSSv2

CVE-2017-13861

Published: 25/12/2017 Updated: 02/06/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Apple

Vulnerability Summary

An issue exists in certain Apple products. iOS prior to 11.2 is affected. tvOS prior to 11.2 is affected. watchOS prior to 4.2 is affected. The issue involves the "IOSurface" component. It allows malicious users to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple tvos

apple iphone os

apple watchos

Exploits

Exploit DB: Apple macOS/iOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 [bugschromiumorg/p/project-zero/issues/detail?id=926] and CVE-2016-7633 [bugschromiumorg/p/project-zero/issues/detail?id=954] If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the argume ...
Exploit DB: Safari Webkit Proxy Object Type Confusion
This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument without causing a bailout, ...
Exploit DB: Safari Webkit Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument withou ...
Exploit DB: Safari Webkit Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument withou ...

Metasploit Modules

Safari Webkit Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

msf > use exploit/apple_ios/browser/webkit_createthis
msf exploit(webkit_createthis) > show targets
    ...targets...
msf exploit(webkit_createthis) > set TARGET < target-id >
msf exploit(webkit_createthis) > show options
    ...show and set options...
msf exploit(webkit_createthis) > exploit
Safari Webkit Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

msf > use exploit/apple_ios/browser/webkit_createthis
msf exploit(webkit_createthis) > show targets
    ...targets...
msf exploit(webkit_createthis) > set TARGET < target-id >
msf exploit(webkit_createthis) > show options
    ...show and set options...
msf exploit(webkit_createthis) > exploit

Github Repositories

https://github.com/Embodimentgeniuslm3/glowing-adventure

This repo provides some info on how to downgrade, jailbreak, and setup IOS 1033 on an iPhone 5s The "install" script in this repo lists all post-jailbreak steps, so use that one in addition to this readme to guide you This repo provides sources only The full package can be downloaded from the releases section: githubcom/WRFan/jailbreak1033/releases

https://github.com/WRFan/jailbreak10.3.3

This repo provides some info on how to downgrade, jailbreak, and setup IOS 10.3.3 on an iPhone 5s.

This repo provides some info on how to downgrade, jailbreak, and setup IOS 1033 on an iPhone 5s The "install" script in this repo lists all post-jailbreak steps, so use that one in addition to this readme to guide you This repo provides sources only The full package can be downloaded from the releases section: githubcom/WRFan/jailbreak1033/releases

References

CWE-119https://support.apple.com/HT208334https://support.apple.com/HT208327https://support.apple.com/HT208325https://www.exploit-db.com/exploits/43320/http://www.securitytracker.com/id/1039953http://www.securitytracker.com/id/1039952http://www.securityfocus.com/bid/102134http://packetstormsecurity.com/files/153148/Safari-Webkit-Proxy-Object-Type-Confusion.htmlhttps://nvd.nist.govhttps://www.exploit-db.com/exploits/43320/https://github.com/WRFan/jailbreak10.3.3
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
client sideCVE-2023-31889template injectionCVE-2024-4304CVE-2006-4304CVE-2024-33272type confusionCVE-2024-21345CVE-2024-33271
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook