Jamf Threat Labs analyzes the exploited in-the-wild WebKit vulnerability CVE-2022-42856

Jamf Threat Labs investigated a WebKit vulnerability that was exploited in the wild. Attackers can exploit CVE-2022-42856 to control code execution within WebKit, giving them the ability to read/write files. This blog explores what the vulnerability looked like in the code and the patches Apple applied.

February 17 2023 by

Jamf Threat Labs

Random green computer code on a black background

Apple recently issued a security patch for a WebKit vulnerability (CVE-2022-42856) found in iOS/iPadOS that generated media attention.

The TL;DR

  • Visiting a maliciously crafted website could trigger the bug in versions older than 16.3, 15.7.3, or 12.5.7 depending on the device model
  • The bug could lead to arbitrary code execution
  • Apple acknowledged in these release notes that the bug may have been “actively exploited”
  • The bug was originally patched in version 15.7.2 on December 13th, 2022.
  • And finally, the patch was backported to older devices in version 12.5.7 on January 23rd, 2023 (note 12.5.6 was the only 2022 release due to a similar security patch)
  • If successfully exploited, the attacker could control the code execution within the context of WebKit, which would give them limited ability to read/write files and communicate with the attacker. But they will still need to exploit further vulnerabilities to gain full access to the device.

Research led by Nir Avraham and Yuan Shen.

In order to better understand the nature of this vulnerability and the steps taken to fix it, we took a deeper look at the release and found the patched code.

The security content of iOS 12.5.7 reveals that CVE-2022-42856 is the only security issue that was patched. Our initial analysis was conducted by performing a binary comparison between iOS 12.5.7 and 12.5.6 with a focus on the JSC (JavaScriptCore). As the built-in JavaScript Engine for WebKit, JSC is often targeted due to its complexity and the control that web-hosted JavaScript can exert over the local execution environment when compromised. However, an initial bindiff of the two versions indicated that there were no changes regarding JSC.

With not much help from bindiff we turned our analysis to the WebKit Bugzilla tracking number found in the advisory, "WebKit Bugzilla 248266," seen in this screenshot from February 1, 2023:

WebKit bugzilla report containing the scope, impact, and description of the vulnerability, which can allow for code execution on older Apple mobile devices.

After digging into the WebKit repository in GitHub, we found a patch that matches the tracking number with following patch note, seen in this partial WebKit commit message:

Partial WebKit commit message explaining the patch

The actual patch is as shown in this screenshot of GitHub diff:

Code comparison of the actual WebKit patch

The first thing we notice is that the patch doesn’t change any code structure, only “replacing the ~SpecFullDouble with ~SpecDoubleReal” in the call to isNotInt32. This means that the patch doesn’t affect generated instructions and code flow, and explains why our original bindiff failed to identify this patch in JSC.

With the above information, the following change is found in the compiled function for LowerDFGToB3::speculate which confirms the patch from the source code. The first image contains code from 12.5.6, while the second is the patched version in 12.5.7.

Vulnerable function from version 12.5.6
Patched function in version 12.5.7

The vulnerability leads to a type confusion issue within the FTL JIT (Faster Than Light Just In Time) compiler, which may ultimately lead to remote code execution within the context of WebKit while executing malicious javascript. Please note the attackers still need other OS vulnerabilities to achieve full remote device control after the WebKit exploit succeeds.

Recommendations

We highly recommend that users upgrade their current software to the newest version available in order to prevent potential security breaches.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.