$70K Bounty for Revealing CVE-2023-41974 Flaw, PoC Published
Proof-of-concept (PoC) code has been released for iOS and macOS vulnerability, CVE-2023-41974, which can be chained to take full control of a mobile device. This vulnerability exposes a critical use-after-free issue in the kernel, a fundamental component of these operating systems. The flaw is capable of granting an application unfettered access to execute arbitrary code with kernel privileges.
At the heart of this discovery is Félix Poulin-Bélanger, a security researcher whose acumen and diligence unveiled the potential for chaining multiple flaws within the kernel. By demonstrating these vulnerabilities and publicly releasing the technical details, Poulin-Bélanger provides details on how he found the vulnerability and exploited it.
In recognition of his groundbreaking work, Poulin-Bélanger was awarded a $70,000 bounty from the Apple Security Bounty program. This accolade is not just a testament to his expertise but also a beacon of encouragement for researchers worldwide to delve deeper into the intricate web of cybersecurity.
The exploit, meticulously tested on the latest Apple hardware including the iPhone 14 Pro Max and the MacBook Air M2 2022, highlights the extensive reach and potential impact of this vulnerability. The release of the Proof-of-Concept (PoC) exploit serves as a vivid demonstration of the CVE-2023-41974 flaw, offering a practical and tangible insight into the nature of this security breach.
Further elevating his contribution, Poulin-Bélanger has established a repository on GitHub, aptly named kfd (kernel file descriptor), encompassing his in-depth research on the kernel memory of Apple devices. The kfd project is a pioneering endeavor to read and write kernel memory on Apple devices. It employs various vulnerabilities, notably the exploitation of dangling PTEs (Page Table Entries), referred to as a PUAF (physical use-after-free) primitive. This innovative approach reallocates certain kernel objects within these physical pages, manipulating them directly from user space through the dangling PTEs to achieve a KRKW (kernel read/write) primitive. The project, encapsulated in the libkfd library, also includes executable wrappers for both iOS and macOS.
