Analysis and Reproduction of iOS/OSX Vulnerability: CVE-2019-7286 - Jamf Threat Labs

Learn about the four vulnerabilities patched in iOS 12.1.4, two of which were exploited in the wild as zero days, according to Project Zero's Ben Hawkes. Join Threat Labs as they analyze and reveal more details about these vulnerabilities.

March 12 2019 by

Jamf Threat Labs

Stethoscope rests on top of iPhone managed by Jamf.

iOS 12.1.4 is the latest version of iOS that was released on February 8th 2019. This version patched four disclosed vulnerabilities on iOS. According to the tweet by Ben Hawkes from Project Zero, at least two of them were exploited in the wild as zero days. Here at Jamf we were keen to analyze and reveal more details about these patched vulnerabilities.

TL;DR:

  • CVE-2019-7286 was exploited in the wild
  • The vulnerability seems to be of critical severity and could have been used potentially also to maintain persistence after reboots
  • We were able to reproduce this vulnerability (POC code below)
  • The vulnerability could be used to escalate privileges to root as part of a chain for jailbreak on iOS 12.1.3.

Analyzing CVE-2019-7286

According to Apple’s description:

Foundation
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero

Except for the fact that the vulnerability was patched in Apple’s Foundation framework, the description doesn’t provide us with a lot of details regarding the nature of the vulnerability.

After analyzing the patch in Foundation framework, the binary diffing revealed no significant change in the binaries of iOS 12.1.4 compared to iOS 12.1.3. The next immediate suspect was CoreFoundation which showed a number of binary differences in Diaphora tool, as shown below:

By comparing the patches, we found a few minor changes in the implementation of CFPrefs Daemon (cfprefsd).

The man page for this daemon isn’t too descriptive:

cfprefsd provides preferences services for the CFPreferences and
NSUserDefaults APIs.
There are no configuration options to cfprefsd manually.

The CFPreferences option is used by almost every software on iOS/ OS X when it launches, thus a vulnerability in this daemon might also be useful to maintain persistency. Surprisingly, there is no public information about this CVE yet, as one would expect from a vulnerability that was actively exploited in the wild.

Patch Analysis

The same bug was also present on OS X, which aided ZecOps investigation and analysis. At the time of the patch, a several minor changes were introduced into cfprefsd, but it appears that the most important modification was made in the following function:

[CFPrefsDaemon handleMultiMessage:replyHandler:]

Below is a snippet of Jamf's attempt to reconstruct the original Obj-C code along with the patch (in bold):

Vulnerability Details

handleMultiMessage:replyHandler: has a reference counting issue using “CFPreferencesMessages” array which is part of the xpc request.

The function reads the array’s objects into a memory buffer one by one using xpc_array_get_value, which does not affect reference counting. The last part of the function which releases all of the elements in the buffer assumes an ownership on the xpc objects. This is generally true since the callback block calls xpc_retain and replaces the original objects in the xpc_buffer. However, if the callback is not called as a result of a crafted message (The message body contains the handler index for the message. Not all handlers call the callback), a double free of the element will occur.

An XPC with following keys and values will trigger the vulnerability:

Apple’s patch replaced the original XPC object with xpc_null if the callback didn’t update the xpc_buffer[count]. As a result, there’s no double free condition when xpc_null has no memory to release.

Vulnerability Reproduction

We were able to reproduce CVE-2019-7286 using the POC code snippet below:

Running the above program on iOS 12.0.1 resulted in cfprefsd crash:

Recommendations

  • Update to the latest OS X and iOS versions.
  • Reboot your iPhone/iPads occasionally (e.g. once a day) to disinfect from non-persistent attackers

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.