6.8
CVSSv2

CVE-2019-6225

Published: 05/03/2019 Updated: 11/03/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 663
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apple macOS could allow a local malicious user to gain elevated privileges on the system, caused by a memory corruption in the Kernel component. By using a specially-crafted application, an attacker could exploit this vulnerability to gain elevated privileges on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
AppleIphone Os1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 2.0, 2.0.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.2, 2.2.1, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.2, 3.2.1, 3.2.2, 4.0, 4.0.1, 4.0.2, 4.1, 4.2.1, 4.2.5, 4.2.8, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.5, 5.0, 5.0.1, 5.1, 5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 7.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.1, 7.1.1, 7.1.2, 8.0, 8.0.1, 8.0.2, 8.1, 8.1.2, 8.1.3, 8.2, 8.3, 8.4.1, 9.0, 9.0.1, 9.0.2, 9.1, 9.2, 9.2.1, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 10.0, 10.0.1, 10.0.2, 10.0.3, 10.1, 10.1.1, 10.2, 10.2.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 11, 11.0, 11.0.1, 11.0.2, 11.0.3, 11.1, 11.1.1, 11.1.2, 11.2, 11.2.1, 11.2.2, 11.2.5, 11.2.6, 11.3, 11.3.1, 11.4, 11.4.1, 12.0, 12.0.1, 12.1, 12.1.1, 12.1.2
AppleMac Os X-, 10.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.5, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.6.7, 10.6.8, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.9, 10.9.1, 10.9.2, 10.9.3, 10.9.4, 10.9.5, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.11.0, 10.11.1, 10.11.2, 10.11.3, 10.11.4, 10.11.5, 10.11.6, 10.12, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.12.4, 10.12.5, 10.12.6, 10.13, 10.13.0, 10.13.1, 10.13.2, 10.13.3, 10.13.4, 10.13.5, 10.13.6
AppleTvos1.0.0, 1.1.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 3.0.0, 3.0.1, 3.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.4.2, 4.4.3, 4.4.4, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.2, 6.2.1, 7.0, 7.0.1, 7.0.3, 7.1, 9.0, 9.0.1, 9.1, 9.1.1, 9.2, 9.2.1, 9.2.2, 10.0, 10.0.1, 10.1, 10.1.1, 10.2, 10.2.1, 10.2.2, 11, 11.0, 11.1, 11.2, 11.2.1, 11.2.6, 11.3, 11.4.1, 12, 12.0.1, 12.1

Vendor Advisories

About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible For more info ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible For more info ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible For more info ...

Exploits

/* * voucher_swap-pocc * Brandon Azad */ #if 0 iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612), 954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206), and 1 ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-2 macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra are now available and addresses the following: AppleKeyStore Available for: macOS Mojave 1014 ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-4 tvOS 1212 tvOS 1212 is now available and addresses the following: AppleKeyStore Available for: Apple TV 4K and Apple TV (4th generation) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with impr ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-4 tvOS 1212 tvOS 1212 is now available and addresses the following: AppleKeyStore Available for: Apple TV 4K and Apple TV (4th generation) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with impr ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-2 macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra macOS Mojave 10143, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra are now available and addresses the following: AppleKeyStore Available for: macOS Mojave 1014 ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-1 iOS 1213 iOS 1213 is now available and addresses the following: AppleKeyStore Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption is ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-1-22-1 iOS 1213 iOS 1213 is now available and addresses the following: AppleKeyStore Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption is ...

Github Repositories

Jailbreak for iOS 12 iOS 120 & 1212 Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license Older (4K) devices are not supported for now 16K dev

OsirisJailbreak12 iOS 120 -> 1212 Incomplete Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license Older (4K) devices are not supported for now

voucher_swap - Exploit for P0 issue 1731 on iOS 1212 Brandon Azad ---- Issue 1731: CVE-2019-6225 -------------------------------------------------------------------- iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_t; new_voucher : ipc_vo

voucher_swap - Exploit for P0 issue 1731 on iOS 1212 Brandon Azad ---- Issue 1731: CVE-2019-6225 -------------------------------------------------------------------- iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_t; new_voucher : ip

OsirisJailbreak12 iOS 120 -> 1212 Incomplete Jailbreak with CVE-2019-6225 An incomplete iOS 12 Jailbreak For now it only runs the exploit, gets tfp0, gets ROOT, escapes the SandBox, writes a test file to prove the sandbox was escaped then resprings Feel free to build on top of it as long as you respect the GPLv3 license Older (4K) devices are not supported for now

machswap An iOS kernel exploit for iOS 11 - 1212 Based on the task_swap_mach_voucher bug (CVE-2019-6225), joint-discovered/released by @S0rryMyBad and @bazad Somewhat loosely based on @s1guza's v0rtex exploit Non-SMAP (<=A9) devices only Many thanks to @s1guza, @littlelailo, and @qwertyoruiopz Writeup ETA soon? Twitter - twittercom/iBSparkes

machswap2 An iOS kernel exploit for iOS 11 - 1212 Based on the task_swap_mach_voucher bug (CVE-2019-6225), joint-discovered/released by @S0rryMyBad and @bazad Somewhat loosely based on @s1guza's v0rtex exploit, and @tihmstar's v3ntex exploit Works on A7 - A11 devices (no A12 as I have no A12 device) Many thanks to @s1guza, @littlelailo, and @qwertyoruiopz Twitt

voucher_swap - Exploit for P0 issue 1731 on iOS 1212 Brandon Azad ---- Issue 1731: CVE-2019-6225 -------------------------------------------------------------------- iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free Consider the MIG routine task_swap_mach_voucher(): routine task_swap_mach_voucher( task : task_t; new_voucher : ip