Skip to content

soccercab/wifi

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

Makefile

Makefile

 
 

README.md

README.md

 
 

crash_all.c

crash_all.c

 
 

direct_attack.c

direct_attack.c

 
 

send_packet.c

send_packet.c

 
 

send_packet.h

send_packet.h

 
 

utils.c

utils.c

 
 

utils.h

utils.h

 
 

Repository files navigation

Heap buffer overflow in icmp_error (CVE-2018-4407)

Proof-of-concept exploit for a remotely triggerable heap buffer overflow vulnerability in iOS 11.4.1 and macOS 10.13.6. This exploit can be used to crash any vulnerable iOS or macOS device that is connected to the same network as the attacker's computer. The vulnerability can be triggered without any user interaction on the victim's device. The exploit involves sending a TCP packet with non-zero options in the IP and TCP headers. It is possible that some routers or switches will refuse to deliver such packets, but it has worked for me on all the home and office networks that I have tried it on. However, I have found that it is not usually possible to send the malicious packet across the internet.

For more information about the vulnerability, see the blog post on lgtm.com.

The buffer overflow is in this code bsd/netinet/ip_icmp.c:339:

m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);

The exploit sets icmplen == 120, which is far too big for the destination buffer. The buffer is overwritten with garbage, so this causes the kernel to crash.

Usage

The exploit code is designed to be built and run on Linux. The code uses a raw socket to send the malicious packet, because we need to have complete control over the contents of the IP and TCP headers. On Linux, root privileges are required to open a raw socket. Therefore, sudo is required to run the PoC. But this is on the attacker's computer, not the victim's, so it does not mitigate the severity of the vulnerability. The code does not do anything malicious to the Linux machine: the root privileges are only used to open a raw socket.

To build the PoC:

make

This builds two versions of the PoC: direct_attack and crash_all. The former requires you to supply the IP addresses of the target machines, like this:

sudo ./direct_attack 192.168.0.8 192.168.0.12

The latter does not require you to list the IP addresses:

sudo ./crash_all

Use crash_all with care: it will crash any unpatched Apple device that is connected to the same network as you.

Alternatively you can give the CAP_NET_RAW capability to the binaries instead of using them under full root privileges:

sudo setcap cap_net_raw=ep crash_all
sudo setcap cap_net_raw=ep direct_attack

Some libs are required to use setcap (libcap-ng-utils, libcap-progs, libcap2)

About

iOS 11 WiFi Exploit - icmp_error_CVE-2018-4407

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages