PoC exploit for execute arbitrary code in Apple products (CVE-2023-23504) released

Security researcher Adam Doupé of ASU SEFCOM has disclosed details of a now-patched security vulnerability in Apple macOS, Apple Watch, iPhone, iPad, and iPod that an attacker could exploit to execute arbitrary code with kernel privileges.

Tracked as CVE-2023-23504, the flaw concerns a heap underwrite vulnerability in the XNU kernel. XNU is the operating system used for a number of Apple products, including Macs, iPhones, iPad, Apple Watches, Apple TVs, and so on. The flaw exists in XNU’s dlil.c (which handles network interfaces) caused by an (uint16_t) integer overflow in if.c. This can be triggered by a root user creating 65536 total network interfaces.

Apple addressed the issue as part of macOS Ventura 13.2, macOS Monterey 12.6.3, watchOS 9.3,  iOS 15.7.3 and 16.3, and iPadOS 15.7.3 and iPadOS 16.3 updates released this month with improved memory handling.

The researcher wrote on the technical details: The root cause of CVE-2023-23504 is “When an interface is created in ifnet_attach:dlil.c, if_next_index:if.c is called to create a if_index on the ifnet_t ifp:

int idx = if_next_index();



    if (idx == -1) {

        ifp->if_index = 0;

        ifnet_lock_done(ifp);

        ifnet_head_done();

        dlil_if_unlock();

        return ENOBUFS;

    }

    ifp->if_index = (uint16_t)idx; // Vulnerability

This index is cast to a uint16_t.

if_next_index creates one chunk of memory that it splits into two: ifnet_addrs and ifindex2ifnet, and the comments for if_next_index hint at the problem:

“ifnet_addrs[] is indexed by (if_index – 1), whereas ifindex2ifnet[] is indexed by ifp->if_index.”

This means that when 65536 network interfaces are created, the last interface has a ifp->if_index of 0, and then ifnet_attach will write the allocated struct ifaddr * ifa out of the bounds of ifnet_addrs:

VERIFY(ifnet_addrs[ifp->if_index - 1] == NULL);

ifnet_addrs[ifp->if_index - 1] = ifa;

In a hypothetical attack scenario, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges by using a specially-crafted application and hosting it on a server, which could then be delivered to a possible target via social engineering, and malicious ads.

Adam Doupé reported the vulnerability to the Apple security team and released proof-of-concept (PoC) code demonstrating how the issue can be exploited to crash the system.