CalvinBackup/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201
1
0
Fork 0
mirror of https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201.git synced 2026-04-22 11:06:21 +02:00
Code Issues Packages Projects Releases Wiki Activity
51 Commits 1 Branch 0 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Joseph Goydish II b634d94b68 Update Telemetry-Attribution-Analysis.md
2026-04-07 12:10:57 -04:00
Attack Chain Flow.md
Update Attack Chain Flow.md
2026-03-09 17:19:19 -04:00
README.md
Update README.md
2026-03-09 17:13:59 -04:00
Telemetry-Attribution-Analysis.md
Update Telemetry-Attribution-Analysis.md
2026-04-07 12:10:57 -04:00

README.md

CVE-2025-31200 & CVE-2025-31201 | iMessage Zero-Click RCE Chain

Summary

This repository documents research into a zero-click remote exploit chain affecting iOS 18.x and beyond. A malformed AMR audio file delivered via iMessage triggers:

  1. Heap corruption in CoreAudio (CVE-2025-31200) — in AudioConverterService AMR 12.2 decoding via illegal bitstream parameters embedded across valid FT=7 frames.
  2. Kernel escalation via AppleBCMWLAN/AMPDU handling (CVE-2025-31201) — RPAC bypass achieves full kernel read/write.
  3. Hardware pivot via BCM4387 coexistence SRAM (CVE pending) — kernel R/W used to write directly to the Broadcom Wi-Fi/BT coexistence SRAM below the IOMMU boundary, injecting HCI commands into the Bluetooth controller without OS intercept.
  4. SSV-layer persistence (CVE-2026-20700) — payload survives DFU restore, factory reset, and OTA update. iOS 26.3 does not remove existing infections.

In post-pivot testing, misuse of CryptoTokenKit signing operations was observed — invoking Secure Enclave-backed keys without interactive prompts via a spoofed Bluetooth identity. Apple patched CVE-2025-31200 and CVE-2025-31201 in iOS 18.4.1. The BCM4387 coexistence bridge remains unpatched at any iOS version.

VirusTotal Analysis (Verified Hash)

Verified Behavior

  • CVE-2025-31200 (CoreAudio) — Heap corruption in AudioConverterService AMR 12.2 decoder via illegal bitstream parameters in valid FT=7 frames. 189 parameter violations across 50 frames; pitch lag max 248 against legal maximum 143; 210-byte heap overflow. Zero-click, no user interaction required.
  • CVE-2025-31201 (AppleBCMWLAN) — Kernel privilege escalation via AMPDU subframe length confusion in parseAggregateFrame. PAC bypass achieved without forging a signed pointer. Fully reproducible on affected devices/builds.
  • BCM4387 coexistence bridge (unpatched) — Kernel R/W used to write directly to BCM4387 coexistence SRAM at 0x102000, which sits 0x5400 bytes below the IOMMU protection boundary at 0x1173FF. HCI commands injected directly into Bluetooth controller. No CVE assigned. Unpatched on all iPhone 1316 regardless of iOS version.
  • CVE-2026-20700 (SSV persistence) — Zombie DSC binary written to /System/Library/Caches/com.apple.dyld/. Survives DFU restore. iOS 26.3 addresses the write path for new infections but does not remove existing implants — iOS 26.3.1 observed leaving the implant intact and adding a second instance.
  • Zero-click delivery vector — Malicious AMR audio processed by iMessage while device is locked, bypassing BlastDoor via valid container structure with exploit payload in codec bitstream parameters.

Observed Post-Compromise Behavior

  • Unauthorized signing: CryptoTokenKit / identityservicesd invoked signing operations from a compromised context without UI prompts via spoofed Bluetooth identity triggering Auto-Unlock evaluation (no Secure Enclave key material exported).
  • SSV persistence: Zombie DSC binary embedded in hardware root-of-trust-sealed system volume. Canary token xTtC2 present in both the AMR payload and the recovered zombie binary — forensic thread confirming delivery chain and persistence implant are the same operation.
  • Live implant activity at shutdown: IOMFB_bics_daemon persisted across two SIGTERM cycles (AGX framebuffer hook); routined changed PID between SIGTERMs (active watchdog respawn); SafariSafeBrowsing.Service lingered past SIGTERM (network exfiltration channel held open).
  • System instability: Media decode failures correlated with PME enforcement logs, GPU/AppleDCP link errors, mediaplaybackd variant-switch loops, and occasional launchd/SoC stalls.
  • Propagation conditions: Peer token reuse across AWDL observed; potential cross-device risk if token caches survive.

Scope of Impact

  • Affected: iOS 18.4 and below (CVE-2025-31200, CVE-2025-31201); all iPhone 1316 regardless of iOS version (BCM4387 hardware vector)
  • Patched: iOS 18.4.1 (Apr 16, 2025) — fixes CVE-2025-31200, CVE-2025-31201
  • Partially addressed: iOS 26.3 (Feb 11, 2026) — CVE-2026-20700 write path closed for new infections; existing implants not removed
  • Unpatched: BCM4387 coexistence SRAM — no CVE, no firmware update, affects all iPhone 1316
  • Vector: Zero-click iMessage/SMS from known sender (bypasses BlastDoor/Blackhole)
  • Primary component: AudioConverterService (CoreAudio AMR decoder) → AppleBCMWLAN.dext (kernel escalation) → BCM4387 coexistence SRAM (hardware pivot) → SSV (persistence)
  • Privileges required: None (initial); kernel achieved post-chain
  • Impact summary: Integrity (unauthorized signing, token/device impersonation) + Confidentiality (AGX framebuffer capture, HID surveillance) + Availability (system stalls); SSV persistence survives all user-accessible remediation paths

Disclosure Timeline

  • Reported to Apple: Dec 20, 2024
  • Re-reported to Apple & US-CERT: Jan 21, 2025 (Tracking ID: VRF#25-01-MPVDT)
  • Shared with Google Project Zero / Research Team: Apr 11, 2025
  • Patched by Apple (CVE-2025-31200, CVE-2025-31201): Apr 16, 2025 (iOS 18.4.1)
  • CVE assignments: CVE-2025-31200 and CVE-2025-31201
  • CISA KEV listing (both CVEs): Apr 16, 2025 — federal patch deadline May 8, 2025
  • Apple acknowledged SSV persistence (CVE-2026-20700): Feb 11, 2026 (iOS 26.3)
  • BCM4387 coexistence SRAM submitted to Broadcom PSIRT: Mar 2026 — no CVE assigned, no patch issued

Impact Statement

An attacker triggering this chain remotely can achieve:

  • Kernel-level compromise
  • Runtime co-option of Secure Enclave signing primitives
  • Impersonation of device identities
  • Forgery of identity-bound tokens
  • Persistent implant surviving DFU restore, factory reset, and OTA update
  • Hardware-level Bluetooth pivot unaddressed by any available iOS update

Severity: Critical (CVSS 3.1 chain-aware 10.0)
Operational risk: High; BCM4387 hardware pivot unpatched on all iPhone 1316; confirmed infected devices have no available remediation path.

Related Research

Recommendations

  • Enforce BlastDoor / attachment inspection for all messages; do not bypass based on sender metadata. Extend validation to codec bitstream parameters, not only container frame structure.
  • Apply rigorous input validation for all decoder parameters including AMR pitch lag, LSF coefficients, and codebook indices against 3GPP TS 26.090 legal ranges.
  • Implement runtime attestation for CryptoTokenKit / Secure Enclave signing operations to verify caller integrity and entitlements.
  • Harden wireless driver surfaces and IOKit entrypoints against malformed kernel data; audit AMPDU subframe length handling in AppleBCMWLAN.
  • Extend BCM4387 IOMMU protection boundary to cover the coexistence SRAM region (0x1020000x1173FF). Requires Broadcom firmware update distributed via iOS update infrastructure.
  • Monitor system logs for IOMFB_bics_daemon SIGTERM persistence, routined PID changes at shutdown, identityservicesd / ctkd anomalies, and unexpected SafariSafeBrowsing activity.
  • Use ZombieHunter and Citizen Lab MVT for device integrity assessment. Note: DFU restore does not remove existing SSV-layer implants.

License & Disclaimer

Released for defensive research and further study.

Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
appleblastdoorcve-2025-31200cve-2025-31201imessageioszero-clickzero-day
Readme 179 KiB
Languages
Markdown 100%