9.3
CVSSv2

CVE-2018-4087

Published: 03/04/2018 Updated: 27/04/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 937
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

An issue was discovered in certain Apple products. iOS prior to 11.2.5 is affected. tvOS prior to 11.2.5 is affected. watchOS prior to 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Vulnerability Trend

Affected Products

Vendor Product Versions
AppleApple Tv1.0.0, 1.1.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 3.0.0, 3.0.1, 3.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.4.2, 4.4.3, 4.4.4, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.2, 6.2.1, 7.0, 7.0.1, 7.0.3, 7.1, 9.0.1, 9.1.1, 10.0, 10.0.1, 10.1, 10.1.1, 10.2, 10.2.1, 10.2.2, 11, 11.0, 11.1, 11.2, 11.2.1
AppleIphone Os1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 2.0, 2.0.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.2, 2.2.1, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.2, 3.2.1, 3.2.2, 4.0, 4.0.1, 4.0.2, 4.1, 4.2.1, 4.2.5, 4.2.8, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.5, 5.0, 5.0.1, 5.1, 5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 7.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.1, 7.1.1, 7.1.2, 8.0, 8.0.1, 8.0.2, 8.1, 8.1.2, 8.1.3, 8.2, 8.3, 8.4.1, 9.0, 9.0.1, 9.0.2, 9.1, 9.2, 9.2.1, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 10.0, 10.0.1, 10.0.2, 10.0.3, 10.1, 10.1.1, 10.2, 10.2.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 11, 11.0, 11.0.1, 11.0.2, 11.0.3, 11.1, 11.1.1, 11.1.2, 11.2, 11.2.1, 11.2.2
AppleWatchos1.0, 1.0.1, 2.0, 2.0.1, 2.1, 2.2, 2.2.0, 2.2.1, 2.2.2, 3.0, 3.1, 3.1.1, 3.1.3, 3.2, 3.2.2, 3.2.3, 4, 4.0, 4.0.1, 4.1

Vendor Advisories

About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page For more information about security, see the Apple Product Security page You can encrypt ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page For more information about security, see the Apple Product Security page You can encrypt ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page For more information about security, see the Apple Product Security page You can encrypt ...

Exploits

// // mainm // bluetoothdPoC // // Created by Rani Idan // Copyright © 2018 zLabs All rights reserved // #import "AppDelegateh" #include <mach/machh> extern kern_return_t bootstrap_look_up(mach_port_t bs, const char *service_name, mach_port_t *service); /* When hijacking session between bluetoothd and client, add callback to t ...

Github Repositories

UnjailMe A sandbox escape based on: the proof-of-concept (CVE-2018-4087) by Rani Idan (Zimperium) @cheesecakeufo's securityd overflow proof-of-concept (zeroday, no CVE known, thank you Abraham!) About the ZIMPERIUM PoC Rani used sbtool from Jonathan Levine to find out what services were accessible for communication from within the sandbox He then found under more blueto

@RaniXCH bluetoothdPoC CVE-2018-4087 PoC ETA son? (Is it a jailbreak?) Depends, Got any kernel vulnerability? You're welcome chain them together This one allow you to have huge attack surface from within the sandbox wwwweibocom/ttarticle/p/show?id=2309404271293301154324 - @SparkZheng - iOS jailbreak internals (2): Escaping sandbox using callbacks References ht

Exploit112 Exploit iOS 112x by ZIMPERIUM and semi-completed by me Sandbox escapes on CVE-2018-4087This checks also of a root access incompleted You can creat an app to running exploit on your device (if you are a developer) and turn the root access @ Thanks to: •RaniXCH, Adam Donenfeld, Abraham Masri and ZIMPERIUM TEAM •th0ex & x0x8_os for collaboratin

toothfairy Related to brokentooth (linked below) Unlike brokentooth, toothfairy does not require pressing buttons on the bluetooth menu Both CVE's were revealed by @SparkZheng but with no POC so I decided to make a POC for the learning experience The code is not perfect but it does the job Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM

brokentooth POC for CVE-2018-4327 (atleast I think so since CVE-2018-4327 and CVE-2018-4330 were both written about by @SparkZheng but it does not say which once relates to which bug but since he described this one first then I'm taking a guess) Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM's version for IP register) to a value of y

brokentooth POC for CVE-2018-4327 (at least I think so since CVE-2018-4327 and CVE-2018-4330 were both discussed by @SparkZheng but it's not clear from him which one relates to which bug but since he described this one first I'm taking a guess) Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM's version for IP register) to a value

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

It's 2018 and your Macs, iPhones can be pwned by playing evil music
The Register • Shaun Nichols in San Francisco • 24 Jan 2018

Meanwhile, HomePod inches closer to actually shipping, allegedly

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible.
On macOS, the update will be delivered as High Sierra 10.13.3 or Security Update 2018-001 for Sierra and El Capitan machines.
Headlining the security update is a patch for CVE-2017-5754, better known as Meltdown. The Intel processor bug allows malicious code to potentially read sensitive data and personal informa...