Facepalm: Apple’s iOS 15 (and iPadOS 15 by nature) was a very buggy release. In addition to several flaws that left the iPhone 13s paralyzed, the operating system had at least two actively exploited zero-day vulnerabilities that Apple engineers had to quickly fix.
On Monday, Apple released an urgent fix for a zero-day vulnerability in iOS 15 and iPadOS 15, which is actively exploited by hackers. The patch appeared on the same day iOS 15.0.1 was released.
Error (CVE-2021-30883) causes a memory corruption bug in IOMobileFrameBuffer, a kernel function that allows developers to determine how their applications use system memory to control the display.
“An application can execute arbitrary code with kernel privileges,” says Apple’s patch notes. “Apple is aware of a report that this issue may have been actively exploited.”
There was no detailed description of the bug in the patch notes. However, shortly after Apple released iOS and iPadOS 15.0.2, security researcher Saar Amar posted a blog post. explaining exploit and created a proof of concept (POC) to show that it works “100 percent of the time.” Amar said this flaw is “great for a hack” because it is accessible from the application sandbox.
After studying BinDiff (a tool that shows the differences in disassembled binaries), Amar concluded that this flaw is not only good for granting kernel privileges, but can also be used for LPE (Local Privilege Escalation) exploits.
I tested my very simple (one page of code) POC on iOS versions 14.7.1 (physical iPhone X) and 15.0 (virtual iPhone 11 Pro), but said the bug is probably much older than that. He ran the code five times on each device, and in all cases the POC caused panic. Amar’s code was causing integer overflows in areas other than IOMobileFrameBuffer, but the patch seems to have fixed them as well.
“An interesting point to note is that other implementations of these functions in other classes have had this integer overflow as well,” Amar wrote. “As far as I understand, the patch fixed that too.”
Aside from being hackable, this security flaw is similar to the nasty one (CVE-2021-30807) that Apple fixed in July. Attackers can exploit this error to completely hijack the device (and apparently it is). So it’s best to install the patch as soon as possible.