iOS 12.1.4 is the latest version of iOS that was released on February 8th 2019. This version patched four disclosed vulnerabilities on iOS. According to the tweet by Ben Hawkes from Project Zero, at least two of them were exploited in the wild as zero days. Here at Jamf we were keen to analyze and reveal more details about these patched vulnerabilities.
TL;DR:
- CVE-2019-7286 was exploited in the wild
- The vulnerability seems to be of critical severity and could have been used potentially also to maintain persistence after reboots
- We were able to reproduce this vulnerability (POC code below)
- The vulnerability could be used to escalate privileges to root as part of a chain for jailbreak on iOS 12.1.3.
Analyzing CVE-2019-7286
According to Apple’s description:
Foundation
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero
Except for the fact that the vulnerability was patched in Apple’s Foundation framework, the description doesn’t provide us with a lot of details regarding the nature of the vulnerability.
After analyzing the patch in Foundation framework, the binary diffing revealed no significant change in the binaries of iOS 12.1.4 compared to iOS 12.1.3. The next immediate suspect was CoreFoundation which showed a number of binary differences in Diaphora tool, as shown below:
By comparing the patches, we found a few minor changes in the implementation of CFPrefs Daemon (cfprefsd).
The man page for this daemon isn’t too descriptive:
cfprefsd provides preferences services for the CFPreferences and
NSUserDefaults APIs.
There are no configuration options to cfprefsd manually.
The CFPreferences option is used by almost every software on iOS/ OS X when it launches, thus a vulnerability in this daemon might also be useful to maintain persistency. Surprisingly, there is no public information about this CVE yet, as one would expect from a vulnerability that was actively exploited in the wild.
Patch Analysis
The same bug was also present on OS X, which aided ZecOps investigation and analysis. At the time of the patch, a several minor changes were introduced into cfprefsd, but it appears that the most important modification was made in the following function:
[CFPrefsDaemon handleMultiMessage:replyHandler:]
Below is a snippet of Jamf's attempt to reconstruct the original Obj-C code along with the patch (in bold):
Vulnerability Details
handleMultiMessage:replyHandler: has a reference counting issue using “CFPreferencesMessages” array which is part of the xpc request.
The function reads the array’s objects into a memory buffer one by one using xpc_array_get_value, which does not affect reference counting. The last part of the function which releases all of the elements in the buffer assumes an ownership on the xpc objects. This is generally true since the callback block calls xpc_retain and replaces the original objects in the xpc_buffer. However, if the callback is not called as a result of a crafted message (The message body contains the handler index for the message. Not all handlers call the callback), a double free of the element will occur.
An XPC with following keys and values will trigger the vulnerability:
Apple’s patch replaced the original XPC object with xpc_null if the callback didn’t update the xpc_buffer[count]. As a result, there’s no double free condition when xpc_null has no memory to release.
Vulnerability Reproduction
We were able to reproduce CVE-2019-7286 using the POC code snippet below:
Running the above program on iOS 12.0.1 resulted in cfprefsd crash:
Recommendations
- Update to the latest OS X and iOS versions.
- Reboot your iPhone/iPads occasionally (e.g. once a day) to disinfect from non-persistent attackers
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.