Researchers: Adam Donenfeld (@doadam)

Relevant Operating Systems: iOS, tvOS and watchOS

CVE: CVE-2018-4282

Summary

As a part of our ongoing mobile platform research, zLabs recently discovered a read-out-of-bounds vulnerability in the AppleT8015PPM.kext that allows an attacker to read out of its supplied structureInput. The read data is being used as a dictionary.

Details

Selector number 13 in ApplePPMUserClient (sPushTelemetry) receives the number of entries to be given to the dictionary. There is however no check on the number of entries, which will lead to the kernel reading out of the supplied input buffer.

Disclosure timeline

16/05/2018 – Bug discovered

19/05/2018 – Vendor notified

09/07/2018 – Patch released (fixed on iOS 11.4.1)
I would like to thank Apple for their quick and professional response and the rest of the Zimperium zLabs team for their ongoing research and assistance.