Skip to content

Muirey03/CVE-2022-32832

main
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jul 21, 2022
Jul 21, 2022
PoC
Jul 21, 2022
PoC
Jul 21, 2022

CVE-2022-32832

Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6

CVE-2022-32832 is a vulnerability in the AppleAPFSUserClient::methodDeltaCreateFinalize external method (selector 49). Here is the decompilation pre-patch:

__int64 __cdecl AppleAPFSUserClient::methodDeltaCreateFinalize(AppleAPFSUserClient *this, void *a2, IOExternalMethodArguments *args)
{
	void *ctx;
	__int64 result;

	ctx = this->deltaCreateCtx;
	if ( !ctx )
		return 0xE00002D8LL;
	AppleAPFSContainer::deltaCreateTeardown(ctx);
	result = 0LL;
	this->deltaCreateCtx = 0LL;
	return result;
}

AppleAPFSUserClient::externalMethod does not use any synchronisation techniques to serialise external method calls. This means that it is possible for an attacker to double-free the delta_create_ctx_t, and related properties, by racing two calls to AppleAPFSUserClient::methodDeltaCreateFinalize on the same userclient, as both will be able to call into AppleAPFSContainer::deltaCreateTeardown (the method responsible for freeing the delta_create_ctx_t) before this->deltaCreateCtx is set to NULL.

In order to trigger this, an attacker first needs to create a "delta create context" on the userclient by using the external method AppleAPFSUserClient::methodDeltaCreatePrepare (selector 36). This requires an unmounted volume to function, so a normal exploit flow requires the attacker to also create a target volume using the external method AppleAPFSUserClient::methodVolumeCreate, which requires superuser privileges. It is for this reason that Apple described the impact of the vulnerability as:

An app with root privileges may be able to execute arbitrary code with kernel privileges

This repository includes a proof-of-concept exploit for this issue that causes a kernel panic on vulnerable macOS versions by underflowing a kernel object's reference count. This exploit must be executed as root for the reasons mentioned above.

CVE-2022-32832 was patched by adding IOLockLock and IOLockUnlock calls to AppleAPFSUserClient::methodDeltaCreateFinalize to protect the vulnerable code.

About

Proof-of-concept and write-up for the CVE-2022-32832 vulnerability patched in iOS 15.6

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published