Researchers: Adam Donenfeld (@doadam)
Relevant Operating Systems: iOS, tvOS and watchOS
As a part of our ongoing mobile platform research, zLabs recently discovered a read-out-of-bounds vulnerability in the AppleT8015PPM.kext that allows an attacker to read out of its supplied structureInput. The read data is being used as a dictionary.
Selector number 13 in ApplePPMUserClient (sPushTelemetry) receives the number of entries to be given to the dictionary. There is however no check on the number of entries, which will lead to the kernel reading out of the supplied input buffer.
16/05/2018 – Bug discovered
19/05/2018 – Vendor notified
09/07/2018 – Patch released (fixed on iOS 11.4.1)
I would like to thank Apple for their quick and professional response and the rest of the Zimperium zLabs team for their ongoing research and assistance.