Vulnerabilities > CVE-2017-7066 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

047910
CVSS 6.5 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
low complexity
apple
CWE-119

Summary

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows attackers to cause a denial of service (memory corruption on the Wi-Fi chip) by leveraging proximity for 802.11.

Vulnerable Configurations

Part Description Count
OS
Apple
215

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
descriptionBroadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to reduce overhead on the host, some Broadcom Wi-Fi chips support TCP ACK Offloading. When this feature is enabled, the firmware keeps a list of active TCP connections, including the 4-tuple, the SEQ/ACK numbers, etc. Before performing the offloading operation, incoming TCP packets are verified to ensure they are valid. During this verification process, the incoming packets' checksums are calculated. For IPv4 packets, the IPv4 header checksum and TCP/IPv4 checksum are calculated and compared to the checksums in the incoming packet. On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the offloading verification is performed in RAM function 0x1800C8. Here is a snippet of the approximate high-level logic for this function: ``` int function_1800C8(void* ctx, void* packet) { char* packet_data = *((char**)(packet + 8)); unsigned short packet_length = *((unsigned short*)(packet + 12)); char* packet_end = packet_data + packet_length; //Getting the ethertype. If there's a SNAP header, get the ethertype from SNAP. ... //Is this IPv4? if (ethertype == 0x800) { unsigned ip_header_length = (ip_header[0] & 0xF) * 4; //IHL * 4 char* tcp_header = ip_header + ip_header_length; if (tcp_header > packet_end) return 0; //Make sure this is TCP if (ip_header[9] != 6) //IPv4->Protocol == TCP return 0; //Making sure the IP total length is valid unsigned short ip_total_length = (ip_header[2] << 8) | ip_header[3]; unsigned tcp_length = ip_total_length - ip_header_length; if (tcp_header + tcp_length > packet_end) return 0; //Verify IPv4 checksum unsigned short ipv4_checksum = *((unsigned short*)(ip_header+10)); if (ipv4_checksum != do_ipv4_checksum(ip_header, ip_header_length)) return 0; //Verify TCP/IPv4 checksum unsigned short tcp_checksum = *((unsigned short*)(tcp_header+16)); if (tcp_checksum != do_tcp_ipv4_checksum(ip_header, tcp_header, tcp_length)) return 0; ... } ... } unsigned short do_ipv4_checksum(char* ip, unsigned len) { ... return internal_calculate_ipv4_checksum(..., ip + 12, len - 12); } unsigned short do_tcp_ipv4_checksum(char* ip, char* tcp, unsigned len) { ... return internal_calculate_tcp_ipv4_checksum(..., ip + 18, len - 18); } ``` As can be seen above, there are a few missing length verifications in the snippet above: 1. The IHL field in the IPv4 header is not verified against in minimal allowed value (5). This means an attacker can provide an intentionally small value, such as zero. Doing so will cause the following accesses to be performed OOB (such as checking the IP header's protocol field, calculating the IPv4 checksum, etc). 2. The IP total length field is also not verified. An attacker can choose the total length field such that ip_total_length == ip_header_length. By doing so, tcp_length will contain the value zero. However, as the unsigned value (tcp_length - 12) is used as the length field in the internal TCP/IPv4 checksum calculation, this will cause the internal checksum calculation loop (RAM function 0x16DBF6) to receive a very large length field - causing an data abort due to an illegal access which will therefore crash the firmware. The bug can be addressed by validating that the IHL is not smaller than the minimal allowed value (5), and by ensuring that the IP total length field is large enough to contain the IPv4 and TCP headers.
idSSV:96605
last seen2017-11-19
modified2017-09-29
published2017-09-29
reporterRoot
titleBroadcom: Denial of service and OOB read in TCP KeepAlive Offloading(CVE-2017-7066)