CVE-2013-0964

Vulnerability

The kernel in Apple iOS before 6.1 and Apple TV before 5.2 does not properly validate the arguments passed to the copyin and copyout functions. Specifically, the checks that prevent a user-mode process from directly accessing kernel memory are bypassed when the specified length is smaller than one page. This affects devices including iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later, and Apple TV 2nd generation and later [1], [2].

Exploitation

To exploit this vulnerability, a local user with access to the device’s user mode must craft a syscall or other kernel interface that invokes copyin or copyout with a length argument less than one page (e.g., a small integer). The kernel will then fail to validate the pointer and length, allowing the operation to proceed without the usual boundary checks. No additional authentication or user interaction beyond normal local access is required [2].

Impact

A successful exploit allows a local user-mode process to bypass intended pointer restrictions and access memory locations in the first page of kernel memory. This can lead to disclosure of sensitive kernel data or corruption of kernel structures, potentially resulting in privilege escalation or denial of service. The attacker gains the ability to read or write the first kernel page, which may contain critical kernel data structures [2].

Mitigation

Apple addressed this issue in the following software updates: - iOS 6.1, released on January 28, 2013 [1] - Apple TV 5.2, released on January 28, 2013 [2]

Users should update their devices to these or later versions. There are no known workarounds beside applying the updates. The vulnerability is not listed on CISA’s KEV as of the publication date [1], [2].