mirror of
https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201.git
synced 2026-07-15 08:17:27 +02:00
cfe660902f80e9f37848cec33228e2001ee27043
CVE-2025-31200 & CVE-2025-31201 — iMessage Zero‑Click RCE Chain
Summary
This repository documents research into a zero‑click remote exploit chain affecting iOS 18.x. A malformed MP4 audio file delivered via iMessage triggers:
- Heap corruption in CoreAudio (CVE‑2025‑31200) — in AudioConverterService AAC decoding.
- Kernel escalation via AppleBCMWLAN/AMPDU handling (CVE‑2025‑31201) — leads to kernel code execution.
In post‑pivot testing, misuse of CryptoTokenKit signing operations was observed, invoking Secure Enclave–backed keys without interactive prompts. Apple patched the vulnerabilities in iOS 18.4.1.
Verified Behavior
- CVE‑2025‑31200 (CoreAudio) — Heap corruption in AudioConverterService AAC decoder via malformed
inMagicCookie. Zero-click, no user interaction required. - CVE‑2025‑31201 (AppleBCMWLAN) — Kernel privilege escalation following CoreAudio corruption. Fully reproducible on affected devices/builds.
- Zero-click delivery vector — Malicious media processed by iMessage while device is locked.
Observed Post-Compromise Behavior
- CryptoTokenKit / identityservicesd signing operations invoked from compromised context without UI prompts.
Important: No Secure Enclave key material was exported; observed misuse is limited to signing operations. - System instability / PME behavior — Media decode failures correlated with PME enforcement logs, GPU link errors, and mediaplaybackd variant switching, occasionally causing device stalls.
Affected Software & Devices
- iOS versions: 18.0 — 18.4 (patched in iOS 18.4.1)
- Patched by Apple: iOS 18.4.1 (April 16, 2025) — CVE‑2025‑31200 and CVE‑2025‑31201 fixed.
- Primary vulnerable component: AudioConverterService (CoreAudio) via iMessage / SMS.
- Chained component: RPAC / Pointer Authentication (PAC bypass, CVE‑2025‑31201).
- Post-exploitation impact: Wireless subsystem manipulation and CryptoTokenKit signing misuse (no key exfiltration observed).
Disclosure Timeline
- Found in the wild: Dec 20, 2024
- Reported to Apple & US‑CERT: Jan 21, 2025 (Tracking ID: VRF#25-01-MPVDT)
- Shared with Google Project Zero / Research Team: Apr 11, 2025
- Patched by Apple: Apr 16, 2025 (iOS 18.4.1)
- CVE assignments: CVE‑2025‑31200 and CVE‑2025‑31201
Impact Statement
An attacker who can trigger this chain remotely can achieve kernel-level compromise and co-opt Secure Enclave–backed signing primitives without exporting key material. This can enable impersonation of device identities and forgery of identity-bound tokens. Severity is high, and runtime hardening and mitigation are recommended.
Recommendations
- Enforce BlastDoor / attachment inspection for all messages; do not bypass based on sender metadata.
- Apply rigorous input validation for decoder parameters (e.g., inMagicCookie/codec metadata).
- Implement runtime attestation for CryptoTokenKit / Secure Enclave signing operations to verify caller integrity and entitlements.
- Harden wireless driver surfaces and IOKit entrypoints against malformed kernel data.
License & Disclaimer
Released for defensive research and further study.
Description
Languages
Markdown
100%