CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers

Ian Beer, Project Zero (Originally posted on Project Zero blog 2021-02-04)

The Basics

Disclosure or Patch Date: 5 November 2020

Product: Apple iOS

Advisory: https://support.apple.com/en-us/HT211929

Affected Versions: iOS 14.1 and previous

First Patched Version: iOS 14.2

Issue/Bug Report: https://bugs.chromium.org/p/project-zero/issues/detail?id=2108

Patch CL: N/A

Bug-Introducing CL: N/A

Reporter(s): Ian Beer of Google Project Zero

The Code

Proof-of-concept: https://bugs.chromium.org/p/project-zero/issues/detail?id=2108

Exploit sample: N/A

Did you have access to the exploit sample when doing the analysis? Yes

The Vulnerability

Bug class: Information leak

Vulnerability details: A kernel memory disclosure vulnerability due to an incorrect size calculation when receiving mach messages and requesting an invalid combination of trailer elements. The vulnerability gives the attacker the ability to leak stale data from various kalloc size classes.

Patch analysis: N/A

Thoughts on how this vuln might have been found (fuzzing, code auditing, variant analysis, etc.): This vulnerability probably could have been found by fuzzing if the fuzzer was set up to discover uninitialized memory (the underlying allocation isn't free; just those four bytes never get written to before they're read.) The bug could also have been found through manual analysis.

(Historical/present/future) context of bug:

The Exploit

Is the exploit method known? Yes

Exploit method: Groom the target kalloc size class to contain the pointer you wish to disclose at the right offset; in this case using out-of-line port descriptors to fill arbitrary sized kalloc allocations with pointers to ports. Free those allocations and reallocate them as mach messages then trigger the vulnerability when receiving those messages to read 4 bytes of the target pointer. Adjust the size of the message to leak the other 4 bytes.

Part of an exploit chain? This vulnerability was used as a part of an iOS exploit chain. It was used after the Safari RCE (CVE-2020-27930) and before the kernel privilege escalation (CVE-2020-27932).

The Next Steps

Variant analysis

Areas/approach for variant analysis (and why): Auditing other complex structures which get copied out to userspace but aren't zero-initialized.

Found variants: N/A

Structural improvements

The underlying feature where this vulnerability was found has long since been removed from XNU; the code should have been properly removed. Ensuring allocations which will be filled in and copied to userspace are zeroed out when allocated would be a good defense-in-depth measure which would have mitigated this issue.

0-day detection methods

Other References