CVE-2024-27815: Apple XNU Kernel Vulnerability Uncovered, PoC Code Released

CVE-2024-27815 PoC

A security researcher has published details and proof-of-concept (PoC) code for a CVE-2024-27815 vulnerability in the XNU kernel that could be exploited to execute arbitrary code with kernel privileges.

The vulnerability was introduced in the XNU kernel version xnu-10002.1.13, which shipped with macOS 14.0 and iOS 17.0. It was identified in the sbconcat_mbufs function, which handles message buffers (struct mbuf’s) used in various networking and BSD components of the kernel.

CVE-2024-27815 PoC

Joseph Ravichandran of MIT CSAIL reported the issue, noting that the vulnerability affects kernels compiled with CONFIG_MBUF_MCACHE. Ravichandran verified the existence of the bug on X86_64 builds of macOS 14.2, 14.3, and 14.4.

The root cause of CVE-2024-27815 lies in the handling of message buffers in the kernel. Message buffers, or mbuf‘s, consist of a header and a data portion, both of fixed size. In the affected kernels, the total size of a message buffer (_MSIZE) is 256 bytes, with the header occupying 32 bytes, leaving 224 bytes (MLEN) for the data portion.

The vulnerability is triggered by a faulty bounds check in the sbconcat_mbufs function. Specifically, the macro used in this function only emits the bounds check when _MSIZE is smaller than a byte, instead of using MLEN, the actual length of available space for data. This oversight allows an attacker to write up to 255 bytes of data into a message buffer’s data field, which is only 224 bytes long, leading to a buffer overflow.

Apple’s security advisory states, “An app may be able to execute arbitrary code with kernel privileges.” This out-of-bounds write issue, if exploited, can provide attackers with the ability to execute arbitrary code at the kernel level, potentially leading to full system compromise.

Apple addressed this vulnerability in the XNU kernel version xnu-10063.121.3, released with macOS 14.5, iOS 17.5, and visionOS 1.2. The fix involves correctly comparing MLEN, not _MSIZE, to UINT8_MAX. This ensures that the bounds check is properly enforced, preventing the overflow. The compiler can optimize this check out when the constant MLEN is always larger than UINT8_MAX, ensuring safety as the CASSERT guarantees sa_len is at most 255.

For those interested in a deeper dive into the technical details, a proof-of-concept (PoC) exploit code and further CVE-2024-27815 analysis can be found through the resources provided by Joseph Ravichandran and MIT CSAIL.