mirror of
https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201.git
synced 2026-07-15 08:17:27 +02:00
Document iMessage zero-click exploit chain on iOSTighten Attack Chain Flow; remove persistence/CVE-2026-20700
A zero-click exploit chain targeting iOS 18.4 and below delivers a malicious AMR audio file via iMessage, bypassing BlastDoor and triggering CoreAudio heap corruption (CVE-2025-31200) leading to kernel execution through AMPDU mishandling (CVE-2025-31201). The exploit allows unauthorized use of Secure Enclave-backed keys for signing operations, undermining cryptographic trust.
This commit is contained in:
committed by
GitHub
parent
c750cec0c5
commit
b9ae62f4e6
+64
-185
@@ -1,182 +1,68 @@
|
||||
# iMessage Attack Chain Flow
|
||||
## Zero-Day, Zero-Click Remote Exploit Defeating Cryptographic Trust on iOS
|
||||
|
||||
Zero-click remote exploit chain on iOS 18.x delivered via a malformed AMR audio file in iMessage.
|
||||
|
||||
---
|
||||
|
||||
## Attack Chain Overview
|
||||
## Chain
|
||||
|
||||
```
|
||||
┌─────────────────────────────────────────────────────────────────────────┐
|
||||
│ DELIVERY │
|
||||
│ iMessage voice note · 1,606 bytes · SHA256: 0de03d7f... │
|
||||
│ 50 × valid FT=7 frames — BlastDoor passes on container structure │
|
||||
│ 1,573-byte encrypted payload distributed in codec bitstream fields │
|
||||
│ (layer below BlastDoor evaluation — not in headers, not in metadata) │
|
||||
└─────────────────────────┬───────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────────┐
|
||||
│ PAYLOAD ARCHITECTURE (3-LAYER ENCRYPTION) │
|
||||
│ IV / campaign nonce: e46c80ce (entropy 2.0 — structural constant) │
|
||||
│ Layer 1: 16-byte cyclic XOR key: 4bdbb4c5e03c0e08164914000021f805 │
|
||||
│ Layer 2: CBC-mode chained XOR (derived from Layer 1) │
|
||||
│ Layer 3: Runtime key — derived from target UDID/ECID │
|
||||
│ NOT present in payload · device-locked · inert on any other │
|
||||
│ Canary tokens: q9PK · xTtC2 · NrER (9/9 researcher evasion score) │
|
||||
└─────────────────────────┬───────────────────────────────────────────────┘
|
||||
│
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────────┐
|
||||
│ STAGE 1 — CVE-2025-31200 │
|
||||
│ CoreAudio AMR 12.2 decoder — imagent │
|
||||
│ 189 parameter violations across all 50 FT=7 frames │
|
||||
│ LSF ordering violated: 50/50 frames │
|
||||
│ Pitch lag max 248 vs legal max 143 (3GPP TS 26.090) │
|
||||
│ Decoder alloc: 306 bytes · max write: 516 bytes │
|
||||
│ Overflow: 210 bytes at 1.69× allocated size → heap write primitive │
|
||||
└─────────────────────────┬───────────────────────────────────────────────┘
|
||||
│ write primitive
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────────┐
|
||||
│ VM STAGE — CUSTOM LLVM-COMPILED BYTECODE │
|
||||
│ 4-byte fixed-width instructions · 8 virtual registers (V0–V7) │
|
||||
│ 175 unique opcodes · opcode entropy 7.1003 bits/byte │
|
||||
│ LLVM IR cosine similarity: 0.9492 (compiled with Apple's toolchain) │
|
||||
│ NSO Pegasus VM cosine similarity: 0.8218 │
|
||||
│ Execution converges: V0 = 0x300016 │
|
||||
│ → IOConnectCallMethod selector 0x16 staged against AppleBCMWLAN │
|
||||
│ No static strings · no hardcoded addresses · intent undiscoverable │
|
||||
│ without runtime execution │
|
||||
└─────────────────────────┬───────────────────────────────────────────────┘
|
||||
│ staged kernel call
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────────┐
|
||||
│ STAGE 2 — CVE-2025-31201 │
|
||||
│ AppleBCMWLAN.dext — IOConnectCallMethod(0x16) → parseAggregateFrame │
|
||||
│ AMPDU subframe length 65,535 into 2,048-byte slot │
|
||||
│ 63,487-byte OOB write into kernel memory │
|
||||
│ PAC bypass: valid pointer unchanged · referent replaced │
|
||||
│ PAC verification passes · kernel R/W achieved │
|
||||
│ Telemetry: bug_type 221 · chip=4388c0 · kAMPDUStat_ types 13 & 14 │
|
||||
└─────────────────────────┬───────────────────────────────────────────────┘
|
||||
│ kernel R/W
|
||||
▼
|
||||
┌─────────────────────────────────────────────────────────────────────────┐
|
||||
│ STAGE 3 — BCM4387 COEX BRIDGE (NO CVE — UNPATCHED) │
|
||||
│ BCM4387 MMIO base resolved from AppleBCMWLAN driver mapping │
|
||||
│ Direct write to coexistence SRAM at 0x102000 │
|
||||
│ IOMMU boundary: 0x1173FF · coex region: below the line │
|
||||
│ Unprotected window: 0x102000–0x1173FF (85KB) · iommu_protected: FALSE │
|
||||
│ HCI_BLE_Set_Coexistence_Parameters injected · OCF 0x3C at offset 865 │
|
||||
│ 11 handler locations in BCM4387 firmware confirmed │
|
||||
│ BT identity spoofed → identityservicesd → SEP signing · no prompt │
|
||||
└─────────────────────────┬───────────────────────────────────────────────┘
|
||||
```
|
||||
1. CVE-2025-31200 — CoreAudio AMR 12.2 decoder heap corruption (AudioConverterService).
|
||||
2. CVE-2025-31201 — Kernel R/W via AMPDU subframe length confusion in AppleBCMWLAN (`parseAggregateFrame`); PAC bypass by referent replacement.
|
||||
3. BCM4387 coexistence SRAM — kernel-mode write to SRAM at `0x102000` (below IOMMU boundary `0x1173FF`); HCI command injection into the BT controller. No CVE. Unpatched on iPhone 13–16.
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
## Delivery
|
||||
|
||||
A zero-day, zero-click exploit chain targeting iOS 18.4 and below delivers a malicious AMR audio file via iMessage. The file bypasses BlastDoor through valid container structure — fifty well-formed FT=7 frames pass every structural check while the exploit payload sits in the codec bitstream parameters one layer deeper, which BlastDoor never evaluates. The file triggers CoreAudio heap corruption (CVE-2025-31200) that escalates to kernel execution through AMPDU mishandling in AppleBCMWLAN (CVE-2025-31201). With kernel access, the chain pivots to the Broadcom BCM4387 coexistence SRAM — a hardware memory region that sits outside IOMMU protection on all iPhone 13–16 — injecting HCI commands directly into the Bluetooth controller to spoof device identity and invoke Secure Enclave-backed signing operations without user interaction.
|
||||
|
||||
**iOS 18.4.1 patches CVE-2025-31200 and CVE-2025-31201. The BCM4387 coexistence bridge remains unpatched at any iOS version.**
|
||||
- File: AMR voice note, 1,606 bytes, SHA256 `0de03d7fe9dc023d5e4824322195dcc2359ec15acd714ade01f50488214c2d60`.
|
||||
- 50 × FT=7 frames; valid container; payload carried in codec bitstream parameters.
|
||||
- Processed by iMessage while locked; no user interaction.
|
||||
|
||||
---
|
||||
|
||||
## Key Impact: Bypass of Cryptographic Trust Model
|
||||
## Stage 1 — CoreAudio (CVE-2025-31200)
|
||||
|
||||
Secure Enclave-backed keys were used to sign data without authorization — not by exporting key material, but by co-opting legitimate keys for unauthorized use. This defeats Apple's identity and message authentication mechanisms at the hardware root-of-trust level.
|
||||
|
||||
This enabled:
|
||||
- **Device impersonation in Apple services**
|
||||
- **Forgery of identity-bound tokens**
|
||||
- **Abuse of end-to-end encryption assumptions**
|
||||
- **Untrusted signing operations using trusted keys**
|
||||
|
||||
---
|
||||
|
||||
## Affected Versions
|
||||
|
||||
| Component | Affected | Patched | Status |
|
||||
|---|---|---|---|
|
||||
| CVE-2025-31200 CoreAudio | iOS 18.4 and below | iOS 18.4.1 | Patched |
|
||||
| CVE-2025-31201 AppleBCMWLAN | iOS 18.4 and below | iOS 18.4.1 | Patched |
|
||||
| BCM4387 coexistence SRAM | All iPhone 13–16 | No patch | **Unpatched** |
|
||||
|
||||
---
|
||||
|
||||
## Affected Components
|
||||
### Directly Exploited
|
||||
- **`AudioConverterService` (CoreAudio)** — AMR 12.2 decoder heap corruption via illegal bitstream parameters in valid FT=7 frames (CVE-2025-31200).
|
||||
- **`AppleBCMWLAN.dext`** — AMPDU subframe length confusion → kernel R/W via PAC bypass (CVE-2025-31201).
|
||||
- **BCM4387 coexistence SRAM** — Unprotected hardware memory region below IOMMU boundary; HCI command injection without OS intercept. No CVE. Unpatched.
|
||||
- **`CryptoTokenKit` / `identityservicesd`** — Unauthorized signing operations invoked post-pivot via spoofed Bluetooth identity; Secure Enclave-backed keys used without user authorization.
|
||||
|
||||
### Collateral / Leveraged Components
|
||||
- **`IMTransferAgent` / `imagent`** — Attachment decryption and materialization; confirms file reached local decoder.
|
||||
- **`identityservicesd` / IDS** — Peer lookup, token validation, key-management activity tied to signing abuse.
|
||||
- **AWDL / `com.apple.madrid`** — Peer discovery and token validation pathway leveraged post-pivot.
|
||||
- **`mediaplaybackd` / AVFoundation / WebKit** — HLS variant-switch loops and GPU decode paths implicated in PME instability.
|
||||
- **`audiomxd`** — PME enforcement logs and AP ↔ co-processor connect failures.
|
||||
- **`AppleDCP` / GPU** — ALPM/getLinkData failures and GPU link errors during PME incidents.
|
||||
- **`powerd` / PME** — Power-state transitions and enforcement failures.
|
||||
- **`launchd`** — `ReportMemoryException` / SoC stall symptoms indicating system-wide impact.
|
||||
- **`keychaind` / `secd` / `CloudKeychainProxy`** — Implicated by downstream signing and token misuse.
|
||||
- **`IO80211ControllerMonitor`** — Driver/kernel interface logs related to AMPDU anomalies.
|
||||
|
||||
> The exploit directly compromises a small set of components but touches many subsystems as failures propagate.
|
||||
|
||||
---
|
||||
|
||||
## Stage Detail
|
||||
|
||||
### Stage 1 — Delivery: BlastDoor Structural Bypass
|
||||
|
||||
The malicious AMR file passes BlastDoor without any dependency on sender trust status. BlastDoor evaluates the container structure — all fifty frames carry valid FT=7 headers and the file is well-formed at every layer BlastDoor inspects. The exploit payload is distributed across the AMR codec bitstream parameters inside those frames, one layer below what BlastDoor evaluates. The file passes regardless of whether the sender is known or unknown. Processing proceeds automatically while the device is locked — no user interaction required.
|
||||
- AMR 12.2 decoder reads pitch lag without 3GPP TS 26.090 range checks.
|
||||
- Observed: 189 parameter violations across 50 frames; pitch lag max 248 (legal max 143); LSF ordering violated in 50/50 frames.
|
||||
- Decoder allocates 306 bytes, writes 516 — 210-byte heap overflow into `imagent`.
|
||||
|
||||
```
|
||||
IDSDaemon BlastDoor: Disabled for framing messages
|
||||
AudioConverterService ACMP4AACBaseDecoder.cpp: Input format: 2 ch, 44100 Hz, aac
|
||||
AudioConverterService ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39
|
||||
```
|
||||
|
||||
### Stage 2 — CoreAudio Heap Corruption (CVE-2025-31200)
|
||||
|
||||
All 50 frames carry valid FT=7 headers. The 1,573-byte encrypted payload is distributed across the AMR codec bitstream parameter fields inside those frames — not in the container, not in metadata. The AMR 12.2 decoder reads pitch lag values without validating against 3GPP TS 26.090 legal ranges: 189 parameter violations across all 50 frames, LSF ordering violated in all 50, pitch lag max 248 against legal maximum 143. Decoder allocates 306 bytes, writes 516 — 210-byte overflow into adjacent `imagent` heap providing the write primitive.
|
||||
|
||||
**Payload encryption architecture:** Layer 1 is a 16-byte cyclic XOR (`4bdbb4c5e03c0e08164914000021f805`). Layer 2 is CBC-mode chaining derived from Layer 1. Layer 3 is a runtime key derived from the target UDID/ECID — not present in the payload, device-locked, mathematically confirmed absent by 30+ decryption attempts (entropy never fell below baseline). The IV `e46c80ce` (entropy 2.0000) is a structural constant preceding the encrypted region — assessed as a campaign nonce or server-side key lookup identifier consistent with NSO multi-tenant architecture.
|
||||
Collateral: PME enforcement failures, AP ↔ co-processor connection blocks, HLS variant-switch loops, GPU/DCP errors, occasional SoC stalls.
|
||||
|
||||
```
|
||||
AudioConverterService ACMP4AACBaseDecoder.cpp: Input format: 2 ch, 44100 Hz, aac
|
||||
AudioConverterService ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39
|
||||
```
|
||||
|
||||
**PME side-effect:** Malformed media decode triggers PME enforcement failure blocking AP ↔ co-processor connections, causing variant-switch loops, GPU/DCP errors, and SoC stalls.
|
||||
|
||||
```
|
||||
audiomxd Connection between ports Application Processor and <CO-PROC> not allowed — PME not enabled
|
||||
kernel AppleDCPDPTXController::getLinkDataGated getALPMEnabled failed
|
||||
audiomxd Connection between ports Application Processor and <CO-PROC> not allowed — PME not enabled
|
||||
kernel AppleDCPDPTXController::getLinkDataGated getALPMEnabled failed
|
||||
mediaplaybackd FigAlternate/HLS variant switching loop detected → stall
|
||||
launchd ReportMemoryException → SoC stall
|
||||
launchd ReportMemoryException → SoC stall
|
||||
```
|
||||
|
||||
### Stage 2a — IMTransferAgent Materialises the Attachment
|
||||
---
|
||||
|
||||
The `.m4a` extension is the iMessage container wrapping the AMR payload — consistent with how iMessage packages voice notes for delivery.
|
||||
## Stage 1a — Attachment materialization
|
||||
|
||||
```
|
||||
IMTransferAgent Succeeded decrypting input URL: file:///var/mobile/tmp/com.apple.messages/<GUID>/<FILE>.m4a
|
||||
```
|
||||
|
||||
### VM Stage — Custom LLVM-Compiled Bytecode
|
||||
---
|
||||
|
||||
The write primitive from Stage 2 is not used directly against the kernel. A custom virtual machine embedded in the payload computes the escalation call path entirely at runtime: 4-byte fixed-width instructions, 8 virtual registers (V0–V7), 175 unique opcodes, opcode entropy 7.1003 bits/byte. LLVM IR cosine similarity 0.9492 — compiled with Apple's own toolchain. NSO Pegasus VM cosine similarity 0.8218 — same engineering team. No static strings, no hardcoded addresses. The payload reveals no indicator of its intent until the VM executes. Final register state: `V0 = 0x300016` — `IOConnectCallMethod` selector `0x16` staged against `AppleBCMWLAN`.
|
||||
## VM stage
|
||||
|
||||
Payload contains an embedded VM: 4-byte fixed instructions, 8 registers, 175 unique opcodes, opcode entropy 7.10 bits/byte. LLVM IR cosine similarity 0.9492. Final state `V0 = 0x300016` — stages `IOConnectCallMethod` selector `0x16` against `AppleBCMWLAN`.
|
||||
|
||||
---
|
||||
|
||||
### Stage 3 — Kernel Escalation (CVE-2025-31201)
|
||||
## Stage 2 — Kernel escalation (CVE-2025-31201)
|
||||
|
||||
The VM-computed call stages `IOConnectCallMethod(0x16)` against `AppleBCMWLAN.dext`. Selector `0x16` (`parseAggregateFrame`) does not validate AMPDU subframe length against the allocated reorder buffer. Subframe length 65,535 into a 2,048-byte slot: 63,487-byte OOB write into kernel memory. PAC bypass achieved by replacing the referent of a valid, already-authenticated IOKit port pointer — the pointer value is unchanged and PAC-valid. PAC verification passes. Kernel R/W achieved.
|
||||
- `IOConnectCallMethod(0x16)` → `parseAggregateFrame` in `AppleBCMWLAN.dext`.
|
||||
- AMPDU subframe length 65,535 written into 2,048-byte slot — 63,487-byte OOB write.
|
||||
- PAC bypass: existing authenticated IOKit port pointer kept; referent replaced. Verification passes.
|
||||
|
||||
**Telemetry confirmation (device: iPhone16,2 · chip=4388c0 · iOS 18.3 build 22D5034e · PCIe/Poppy transport):**
|
||||
Device: iPhone16,2 · chip=4388c0 · iOS 18.3 build 22D5034e · PCIe/Poppy.
|
||||
|
||||
```
|
||||
IO80211ControllerMonitor setAMPDUstat unhandled kAMPDUStat_ type 14
|
||||
@@ -186,25 +72,30 @@ WiFi State: On (2.4 GHz)
|
||||
Firmware: BCM4388C0_22.2.507.1323_PCIE_Poppy_CLPC_OS_STATS_20241003.bin
|
||||
```
|
||||
|
||||
`bug_type: 221` is the diagnostic indicator for a WiFi firmware panic/trap within the wireless SoC. `chip=4388c0` confirms hardware-specific exploit targeting of this BCM4388 silicon revision. Active WiFi on 2.4 GHz confirms the radio state required for AMPDU injection. The `BCM4388C0_22.2.507.1323` firmware string provides the integrity baseline — any deviation indicates unauthorised firmware state.
|
||||
`bug_type: 221` indicates a WiFi firmware panic in the wireless SoC.
|
||||
|
||||
### Stage 3a — AWDL Peer Manipulation
|
||||
---
|
||||
|
||||
Post-escalation, `identityservicesd` peer discovery and cached token state are leveraged to surface and validate device identities, facilitating the downstream BT identity spoof.
|
||||
## Stage 2a — AWDL peer state
|
||||
|
||||
```
|
||||
IDSDaemon Noting peer token {shouldNoteToken: YES, token: <REDACTED>, service: com.apple.madrid}
|
||||
PeerLookup_DBCache DB Cache Hit { service: com.apple.madrid }
|
||||
PeerLookup_SwiftData => Good to go, we have it
|
||||
PeerLookup_SwiftData -> Good to go, we have it
|
||||
```
|
||||
|
||||
### Stage 4 — BCM4387 Hardware Pivot (No CVE — Unpatched)
|
||||
---
|
||||
|
||||
With kernel R/W, the BCM4387 MMIO base is resolved from the AppleBCMWLAN driver mapping. The coexistence SRAM at `0x102000` sits below the IOMMU protection boundary at `0x1173FF` — writes land directly in the Bluetooth controller's operational memory without fault. `HCI_BLE_Set_Coexistence_Parameters` (OCF `0x3C`) injected at payload offset 865 corrupts the coexistence arbiter, spoofs BT device identity, and triggers Auto-Unlock evaluation. The Secure Enclave performs signing without user prompt.
|
||||
## Stage 3 — BCM4387 hardware pivot (no CVE, unpatched)
|
||||
|
||||
### Stage 5 — CryptoTokenKit Signing Abuse
|
||||
- BCM4387 MMIO base resolved from AppleBCMWLAN driver mapping.
|
||||
- Coexistence SRAM at `0x102000` sits below IOMMU boundary `0x1173FF`.
|
||||
- `HCI_BLE_Set_Coexistence_Parameters` (OCF `0x3C`) injected at payload offset 865.
|
||||
- BT identity spoof triggers Auto-Unlock evaluation; SEP signs without user prompt.
|
||||
|
||||
With spoofed BT identity establishing a trusted peer context, `identityservicesd` invokes CryptoTokenKit signing operations using Secure Enclave-backed keys. No key material is exported — signing authority is abused in place.
|
||||
---
|
||||
|
||||
## Stage 4 — CryptoTokenKit signing
|
||||
|
||||
```
|
||||
identityservicesd Decrypting message <GUID> of encryption type "pair-tetra"
|
||||
@@ -213,14 +104,17 @@ CryptoTokenKit operation:2 algo:algid:sign:ECDSA:digest-X962:SHA256
|
||||
CryptoTokenKit <sepk:p256(d) kid=<KID>> parsed for identityservicesd
|
||||
```
|
||||
|
||||
### Forensic Confirmation — Canary Token Cross-Stage Thread
|
||||
No key material exported. Signing authority used in place.
|
||||
|
||||
Canary token `xTtC2` was identified inside the encrypted AMR payload during bitstream analysis. The same token was subsequently recovered from a zombie DSC binary on a fully DFU-restored device. Same token, both artifacts — delivery chain and persistence implant are confirmed as the same operation. The three-token canonical sequence `q9PK|xTtC2|NrER` (encoded beacon `cTlQS3x4VHRDMnxOckVS`) base64-decodes to an 11-byte fragment consistent with a truncated HMAC-SHA1 beacon matching the NSO Pegasus C2 check-in format (`device_id|campaign_id|version`). Combined canary MD5: `2482d4bcec039ae7391120253a397746`.
|
||||
---
|
||||
|
||||
**Shutdown log corroboration** (confirmed infected device — `logarchive/extra/shutdown.0.log`):
|
||||
- `IOMFB_bics_daemon` persisted across two SIGTERM cycles → AGX framebuffer capture hook
|
||||
- `routined` changed PID between SIGTERMs (652→38) → active watchdog respawning at shutdown
|
||||
- `SafariSafeBrowsing.Service` lingered past first SIGTERM → exfiltration channel held open
|
||||
## Affected Versions
|
||||
|
||||
| Component | Affected | Patched | Status |
|
||||
|---|---|---|---|
|
||||
| CVE-2025-31200 CoreAudio | iOS 18.4 and below | iOS 18.4.1 | Patched |
|
||||
| CVE-2025-31201 AppleBCMWLAN | iOS 18.4 and below | iOS 18.4.1 | Patched |
|
||||
| BCM4387 coexistence SRAM | iPhone 13–16 | None | Unpatched |
|
||||
|
||||
---
|
||||
|
||||
@@ -228,33 +122,21 @@ Canary token `xTtC2` was identified inside the encrypted AMR payload during bits
|
||||
|
||||
| CVE | Component | Description | CVSS | Status |
|
||||
|---|---|---|---|---|
|
||||
| CVE-2025-31200 | CoreAudio / AudioConverterService | Heap corruption via illegal AMR bitstream parameters | 9.8 Critical | Patched iOS 18.4.1 |
|
||||
| CVE-2025-31201 | AppleBCMWLAN.dext | Kernel escalation via AMPDU length confusion + PAC bypass | 9.8 Critical | Patched iOS 18.4.1 |
|
||||
| BCM4387 coex | Broadcom BCM4387 silicon | Unprotected coexistence SRAM below IOMMU — HCI injection | High | **No CVE. No patch.** |
|
||||
| CVE-2026-20700 | SSV / dyld shared cache | Persistent implant surviving DFU restore | Critical | iOS 26.3 — write path only |
|
||||
| *(No CVE)* | CryptoTokenKit / SEP | Unauthorized SEP-backed signing from compromised context | High | Remediation recommended |
|
||||
| *(No CVE)* | PME / audiomxd / powerd | PME enforcement failure → SoC stalls | High | Firmware review recommended |
|
||||
|
||||
---
|
||||
|
||||
## Impact Summary
|
||||
|
||||
- **Cryptographic isolation defeated** — Secure Enclave-backed keys invoked by untrusted code without user authorization.
|
||||
- **Device impersonation and token forgery** — Legitimate identity tokens and signatures forged across Apple services.
|
||||
- **Service-level authentication undermined** — Identity, messaging, and authentication trust assumptions subverted.
|
||||
- **Zero-click remote compromise** — Full chain triggered without user interaction, no sender trust dependency.
|
||||
- **Unpatched hardware vector** — BCM4387 coexistence bridge exploitable from kernel context on all iPhone 13–16 regardless of iOS version.
|
||||
- **System stability impact** — PME enforcement failures and SoC stalls observed as collateral.
|
||||
| CVE-2025-31200 | CoreAudio / AudioConverterService | Heap corruption via illegal AMR bitstream parameters | 9.8 | Patched iOS 18.4.1 |
|
||||
| CVE-2025-31201 | AppleBCMWLAN.dext | Kernel escalation via AMPDU length confusion + PAC bypass | 9.8 | Patched iOS 18.4.1 |
|
||||
| BCM4387 coex | Broadcom BCM4387 | Coexistence SRAM below IOMMU — HCI injection | High | No CVE, no patch |
|
||||
| (No CVE) | CryptoTokenKit / SEP | SEP-backed signing from compromised context | High | Remediation recommended |
|
||||
| (No CVE) | PME / audiomxd / powerd | PME enforcement failure → SoC stalls | High | Firmware review recommended |
|
||||
|
||||
---
|
||||
|
||||
## Recommendations
|
||||
|
||||
1. **Enforce post-kernel attestation for CryptoTokenKit.** Privileged callers must require validation before invoking key-bound operations.
|
||||
2. **Extend BlastDoor validation to codec bitstream parameters.** Container-level frame structure validation is insufficient — the exploit payload in this chain lives in AMR bitstream parameters one layer below what BlastDoor currently inspects.
|
||||
3. **Extend codec input validation to bitstream parameters.** Legal range enforcement for AMR pitch lag, LSF coefficients, and codebook indices per 3GPP TS 26.090.
|
||||
4. **Harden AMPDU handling in AppleBCMWLAN.** Validate subframe length fields against allocated buffer size.
|
||||
5. **Extend BCM4387 IOMMU boundary.** IOMMU protection must cover the coexistence SRAM region (`0x102000`–`0x1173FF`). Requires Broadcom firmware update.
|
||||
1. Validate codec bitstream parameters (AMR pitch lag, LSF, codebook indices) against 3GPP TS 26.090.
|
||||
2. Validate AMPDU subframe length against allocated buffer size in AppleBCMWLAN.
|
||||
3. Extend IOMMU coverage to BCM4387 coexistence SRAM (`0x102000`–`0x1173FF`).
|
||||
4. Require attestation of caller before CryptoTokenKit / SEP-backed signing operations.
|
||||
5. Extend BlastDoor inspection beyond container framing into codec bitstream parameters.
|
||||
|
||||
---
|
||||
|
||||
@@ -265,8 +147,5 @@ Canary token `xTtC2` was identified inside the encrypted AMR payload during bits
|
||||
| Reported to Apple | Dec 20, 2024 |
|
||||
| Re-reported to Apple & US-CERT | Jan 21, 2025 (VRF#25-01-MPVDT) |
|
||||
| Patched (CVE-2025-31200, CVE-2025-31201) | Apr 16, 2025 — iOS 18.4.1 |
|
||||
| CISA KEV listing | Apr 16, 2025 — federal deadline May 8, 2025 |
|
||||
| CISA KEV listing | Apr 16, 2025 |
|
||||
| BCM4387 submitted to Broadcom PSIRT | Mar 2026 — no CVE, no patch |
|
||||
| Exploit vector confirmed by Apple | Yes — malicious audio file via iMessage |
|
||||
| Exploit type | Zero-day, zero-click, remote |
|
||||
| Hardware/PME observation | PME enforcement failures and SoC stalls observed — vendor firmware review recommended |
|
||||
|
||||
Reference in New Issue
Block a user