关联漏洞
标题:
Apple iOS和Apple iPadOS 安全漏洞
(CVE-2025-31200)
描述:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS 18.4.1版本和Apple iPadOS 18.4.1版本存在安全漏洞,该漏洞源于处理恶意媒体文件时边界检查不足,可能导致代码执行。
描述
CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudio’s AudioConverterService, triggered by a malicious audio file via iMessage/SMS. Exploitation bypassed Blastdoor, enabled kernel escalation (CVE-2025-31201), and allowed token theft until patched in iOS 18.4.1 (Apr 16, 2025).
介绍
# CVE-2025-31200 & CVE-2025-31201 | iMessage Zero-Click RCE Chain
Public disclosure of two linked vulnerabilities in Apple's iOS 18.x:
- **CVE-2025-31200** — Heap corruption in CoreAudio’s `AudioConverterService`, triggered by a malicious audio file delivered via iMessage. Zero-click, no user interaction required.
- **CVE-2025-31201** — Pointer Authentication (PAC) bypass in the RPAC path, enabling reliable kernel exploitation once arbitrary R/W is achieved.
---
## Disclosure & Patch Timeline
- **Initial Report Date:** January 21, 2025
- **Reported To:** Apple & US-CERT (Tracking ID: VRF#25-01-MPVDT)
- **Patched By Apple:** Silently resolved in **iOS 18.4.1**, released **April 16, 2025**
- **CVE Assignment:** Identifiers **CVE-2025-31200** and **CVE-2025-31201** were assigned publicly due to lack of MITRE response
Due to the severity, prolonged silence from relevant stakeholders, and absence of acknowledgment post-patch, this repository is published to inform the security community and support defensive mitigation.
---
## Affected Systems
- **iOS Versions:** Zero-day until patched in **iOS 18.4.1 (April 16, 2025)**
- **Primary Vulnerable Component:** `AudioConverterService` (CoreAudio) via iMessage / SMS delivery
- **Chained Component:** RPAC / Pointer Authentication (PAC bypass, CVE-2025-31201)
- **Post-Exploitation Impact:** Wireless subsystem manipulation and CryptoTokenKit abuse (no CVE assigned)
---
## 🛡️ Disclaimer
This report is released in the interest of public safety, transparency, and to support defenders and researchers. All information is based on independent research. No offensive code is included. The author remains open to coordination with trusted parties for validation and response.
文件快照
[4.0K] /data/pocs/439ee258ba55a39c96e7af9e4f57d710fb2b89d9
├── [1.7K] README.md
└── [5.9K] Remote Crypto Attack Chain .md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。