Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-32832 PoC — 多款Apple产品 缓冲区错误漏洞

Source
https://github.com/Muirey03/CVE-2022-32832
Associated Vulnerability
Title:多款Apple产品 缓冲区错误漏洞 (CVE-2022-32832)
Description:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS 15.6之前版本和iPadOS 15.6之前版本存在缓冲区错误漏洞,该漏洞源于APFS中存在边界错误,本地用户可以运行一个特制的程序来触发内存损坏并以root权限执行任意代码。该漏洞允许本地用户在系统上提升权限。
Description
Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6
Readme
## CVE-2022-32832
#### Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6

CVE-2022-32832 is a vulnerability in the `AppleAPFSUserClient::methodDeltaCreateFinalize` external method (selector 49). Here is the decompilation pre-patch:

```cpp
__int64 __cdecl AppleAPFSUserClient::methodDeltaCreateFinalize(AppleAPFSUserClient *this, void *a2, IOExternalMethodArguments *args)
{
	void *ctx;
	__int64 result;

	ctx = this->deltaCreateCtx;
	if ( !ctx )
		return 0xE00002D8LL;
	AppleAPFSContainer::deltaCreateTeardown(ctx);
	result = 0LL;
	this->deltaCreateCtx = 0LL;
	return result;
}
```

`AppleAPFSUserClient::externalMethod` does not use any synchronisation techniques to serialise external method calls. This means that it is possible for an attacker to double-free the `delta_create_ctx_t`, and related properties, by racing two calls to `AppleAPFSUserClient::methodDeltaCreateFinalize` on the same userclient, as both will be able to call into `AppleAPFSContainer::deltaCreateTeardown` (the method responsible for freeing the `delta_create_ctx_t`) before `this->deltaCreateCtx` is set to `NULL`.

In order to trigger this, an attacker first needs to create a "delta create context" on the userclient by using the external method `AppleAPFSUserClient::methodDeltaCreatePrepare` (selector 36). This requires an unmounted volume to function, so a normal exploit flow requires the attacker to also create a target volume using the external method `AppleAPFSUserClient::methodVolumeCreate`, which requires superuser privileges. It is for this reason that Apple described the impact of the vulnerability as:

> An app with root privileges may be able to execute arbitrary code with kernel privileges

This repository includes a proof-of-concept exploit for this issue that causes a kernel panic on vulnerable macOS versions by underflowing a kernel object's reference count. This exploit must be executed as root for the reasons mentioned above.

CVE-2022-32832 was patched by adding `IOLockLock` and `IOLockUnlock` calls to `AppleAPFSUserClient::methodDeltaCreateFinalize` to protect the vulnerable code.
File Snapshot

 [4.0K]  /data/pocs/e6fa998f07c8ea23bd245cb2f66544140406861d
├── [1.3M]  Kernel-2022-06-03-142235.panic
├── [1.0K]  LICENSE
├── [3.3K]  main.c
├── [ 190]  Makefile
└── [2.1K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.