New Apple Exploit Vulnerabilities Explained

By Guy Nguyen-Phuoc on January 1, 2023

Introduction

On August 17, 2022 Apple released emergency security updates to address two critical zero-day vulnerabilities that have been used to compromise iPhones and Macs [1]. These vulnerabilities, labeled CVE-2022-32893 [2] and CVE-2022-32894 [3], affect WebKit and the Kernel respectively.

 

The list of devices affected by both vulnerabilities are:

 

  • Macs running macOS Monterey
  • iPhone 6s and later
  • iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

What is the Kernel?

The Kernel is a core component of the Operating System (OS), that acts as a bridge between applications and data processing performed at a hardware level using system calls and inter-process communication [4]. The Kernel contains the highest level of privilege in a computing system as it operates in Ring 0. Protection Rings, sometimes called ordered protection domains, are a mechanism used to help improve fault tolerance and provide computer security. There are four levels of protection, from greatest to least privilege, Ring 0 to Ring 3. Image of Protection Rings in Figure 1.

Image showcasing the different rings of a kernel

Figure 1, Protection Ring diagram

Furthermore, Protection Rings offer two modes: Supervisor and Hypervisor [5]. The Supervisor mode allows execution of all instructions, including privileged instructions, and gives access to address spaces, memory management hardware and other peripheral devices. The Kernel operates in this mode. In the Hypervisor mode, there are virtualization instructions from the CPU that are used to control “Ring 0” hardware access. Typically this is done via Ring 1 under the hypervisor.

 

Rings are considered supersets of the previous rings. For example, in Ring 1, it contains all the privileges of Ring 2 and 3 in addition to higher level privileges.

What is WebKit?

WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux [6]. CVE-2022-32893, entails well crafted web content may lead to arbitrary code execution. Using specially crafted websites or malvertising, malicious actors could compromise vulnerable systems across various platforms of the Apple ecosystem.

 

What is out-of-bounds?

Both the CVE’s use out-of-bounds techniques to compromise various parts of the system. Out-of-bounds, or memory corruption, issues are caused by reading or writing past intended memory allocation at the beginning or end of the buffer [7, 8]. This allows the attacker to write: data, a crash, or code execution and read: sensitive information from other memory locations.

 

Write:

The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results. Figure 2 showcases C code that causes out-of-bounds via writing.

C code example of out-of-bounds write

Figure 2 C Code over allocating the buffer

Read:

A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results. Figure 3 showcases C code that causes out-of-bounds via reading.

C code example of out-of-bounds read

Figure 3. C Code not sanitizing minimum values for index

C code example of proper bounds checking

Figure 4. C code example of proper bounds checking

Typically, out-of-bounds exploits use the heap or stack in some way when they manipulate the pointers to specific locations. You can read more about the stack here [9].

What are the Mitigations to Memory Vulnerabilities?

There are some various methods to mitigate memory vulnerabilities ranging from safe coding practices to binary level protection offered by the compiler. In recent years, there has been a push for “memory-safe” programming languages to combat these exploits, like the RUST [10] programming language. You can read more about various binary protections here.

References