CVE-2017-7115
Description
An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apple iOS 10.2 (14C92) - Remote Code Execution
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1317#c3
The exploit achieves R/W access to the host's physical memory.
This exploit has been tested on the iPhone 7, iOS 10.2 (14C92). To run the exploit against different devices or versions, the symbols must be adjusted.
The attached archive contains the following directories:
-hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
instrumented to add various commands, allowing injection and reception of crafted action frames
used throughout the exploit.
-OneRing - The exploit itself.
To run the exploit, you must execute the following steps:
-Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
-Compile the provided version of hostapd
-Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
-Configure the following settings under "OneRing/rrm_exploit/conf.py":
-HOSTAPD_DIR - The directory of the hostapd binary compiled above
-TARGET_MAC - The MAC address of the device being exploited
-AP_MAC - The MAC address of your wireless dongle
-INTERFACE - The name of the wireless dongle's interface
-Configure the following settings under "OneRing/conf.py":
-TARGET_MAC - The MAC address of the device being exploited
-TARGET_IP - The IP address of the device being exploited
-Assemble the backdoor shellcode by running "OneRing/rrm_exploit/assemble_backdoor.sh"
-Assemble each of the code chunks under "OneRing/code_chunks" by running "compile.sh"
-Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
-Connect the target device to the network
-Run "OneRing/attack.py"
Following the steps above should result in DART's descriptor being mapped into IO-Space, allowing R/W access to the host's physical memory. You can utilise this R/W access by calling the "read_host_dword" and "write_host_dword" functions, respectively.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42996.zip
OS impact
macOS Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
References
- http://www.securityfocus.com/bid/100924
- http://www.securitytracker.com/id/1039385
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1317
- https://support.apple.com/HT208112
- https://support.apple.com/HT208113
- https://www.exploit-db.com/exploits/42996/
- http://www.securityfocus.com/bid/100924
- http://www.securitytracker.com/id/1039385
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1317
- https://support.apple.com/HT208112
- https://support.apple.com/HT208113
- https://www.exploit-db.com/exploits/42996/
CWEs
CWE-362
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.