New Crucial Vulnerabilities in Apple’s bluetoothd daemon

Share this blog

As part of our platform research team in Zimperium zLabs, we investigated iOS mach message IPC, focusing on available services accessible from within the iOS sandbox. The goal of this effort was to assess potential opportunities to gain privilege escalation and escape the sandbox, which is a core part in a full iOS exploit chain.

We found 2 crucial vulnerabilities in the bluetoothd daemon on iOS, webOS and tvOS as part of CoreBluetooth. The first vulnerability is memory corruption in bluetoothd and the other is execution of arbitrary code on different crucial daemons.

The first vulnerability (CVE-2018-4095) is full relative (ASLR bypass) control on the stack in CoreBluetooth that leads to memory corruption over bluetoothd.

The second major vulnerability (CVE-2018-4087) leads to execution of arbitrary code on different crucial daemons in iOS by hijacking the session between each daemon and bluetoothd. Some of the impacted daemons are: SpringBoard, mDNSResponder, aggregated, wifid, Preferences, CommCenter, iaptransportd, findmydeviced, routined, UserEventAgent, carkitd, mediaserverd, bluetoothd, coreduetd and so on.

Registers state from wifid after executing the vulnerability POC

Both of the vulnerabilities were addressed in the latest OS releases by Apple: iOS – 11.2.5, watchOS – 4.2.2, tvOS – 11.2.5. Apple assigned 2 CVEs for each of the vulnerabilities:

  1. CVE-2018-4087: Rani Idan (@raniXCH) of Zimperium zLabs Team
  2. CVE-2018-4095: Rani Idan (@raniXCH) of Zimperium zLabs Team

More details regarding the research process and the results will be published in the near future in a more detailed and technical write up, along with the full exploit source code.

I would like to thank Apple for their quick and professional response, zLabs team and Nikias Bassen (@pimskeks) that helped in the process.

Avatar photo
Author: Rani Idan