PoC Code for iOS 16.2/macOS Ventura code execution (CVE-2022-42864) Published

A security researcher has published proof-of-concept (PoC) code for a macOS/iOS vulnerability in IOHIDFamily that could be exploited to execute arbitrary code with kernel privileges.

Tracked as CVE-2022-42864 (CVSS score of 7.0), the security defect was identified and reported by Tommy Muir (@Muirey03), with a patch available since the release of tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2 in December last year.

IOHIDFamily is a kernel extension that provides an abstract interface of with human interface devices (HID), e.g. the touchscreen, buttons, accelerometer, etc. In the user-land, there are two kinds of APIs associated to the IOHIDFamily: (1) the “public” ones, which are intended for HID driver writers; (2) the “private” ones, which are intended for event processing[1].

The PoC exploit targets CVE-2022-42864, a vulnerability that could allow a remote attacker to execute arbitrary code on the system, caused by a race condition issue in the kernel. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

According to researcher Muirey03, who published the PoC code for CVE-2022-42864, “The exploit currently achieves the same “arbitrary kfree” primitive used in the multicast_bytecopy exploit. However, the subsequent exploit flow of multicast_bytecopy has been heavily mitigated against, so this is not a complete exploit, it merely demonstrates the severity of the issue.”

Some possible consequences of successful exploitation are infection with ransomware, data theft, and backdoor, making it imperative that users apply the updates