Full Report
The proof of concept starts with a write of a bunch of A's to a file owned by root and read only. Next, they execute a C file that uses mlock on that file. The file is still read only and owned by root but now contains a bunch of 0's. VME's define the privileges which a particular map has over a regions vm_object. The behavior VM_BEHAVIOR_ZERO_WIRED_PAGES can be set by a task on any vm_entry. However, there are no permission checks on this, causing the zero_wired_pages flag to be set. In vm_map_delete, the unwire function looks up the page of the underlying object and zeros the portion of it out. Again, no permissions are checked in this case. The next challenge is getting the page wired to something interesting. mlock is a wrapper around mach_vm_wire_kernel which contains the ability to do writes. Using this, it's possible to mmap an interesting part of a page, mark it with VM_BEHAVIOR_ZERO_WIRED_PAGES, mlock the page and it'll zero out parts of the data. A pretty classic, yet complicated to exploit, permissions issue. Neat!
Analysis Summary
# Vulnerability: macOS/iOS Kernel Arbitrary Data Zeroing via VM Permission Bypass
## CVE Details
- **CVE ID**: CVE-2021-30851
- **CVSS Score**: 7.8 (High) - *Estimate based on local privilege escalation vector*
- **CWE**: CWE-285 (Improper Authorization)
## Affected Systems
- **Products**: Apple macOS, iOS, iPadOS, watchOS, and tvOS.
- **Versions**:
- macOS Big Sur prior to 11.6
- iOS and iPadOS prior to 14.8
- watchOS prior to 7.6.2
- **Configurations**: Systems using the Mach VM subsystem (Standard Apple OS architecture).
## Vulnerability Description
The vulnerability exists within the XNU kernel's virtual memory management subsystem. It stems from a lack of permission verification when setting specific memory behaviors on Virtual Memory Entries (VME).
Specifically:
1. **Improper Flag Setting**: A task can set the `VM_BEHAVIOR_ZERO_WIRED_PAGES` flag on any `vm_entry` without the kernel checking if the task has write permissions to the underlying `vm_object`.
2. **Unwire Manipulation**: When `vm_map_delete` is called (or during memory pressure/unmapping), the kernel's unwire function identifies pages marked with this flag and zeros them out.
3. **Permission Bypass**: Because `mlock` (a wrapper for `mach_vm_wire_kernel`) can be used to wire pages into memory regardless of the user's write access to the underlying file (e.g., a root-owned read-only file), an attacker can force the kernel to zero out data in sensitive files or system memory areas that should be immutable to the user.
## Exploitation
- **Status**: PoC Available.
- **Complexity**: High (Requires precise memory mapping and exploitation of XNU VM internals).
- **Attack Vector**: Local (The attacker must be able to execute code on the target system).
## Impact
- **Confidentiality**: None (The exploit zeros data rather than leaking it).
- **Integrity**: High (Allows an attacker to corrupt or modify critical system files, such as `/etc/passwd` or system binaries, by zeroing out specific bytes).
- **Availability**: High (Can be used to crash the system or disable security services).
## Remediation
### Patches
Apple addressed this issue by improving permission checks within the virtual memory management logic.
- **macOS Big Sur 11.6**
- **iOS 14.8 and iPadOS 14.8**
- **watchOS 7.6.2**
- **tvOS 15**
### Workarounds
No practical software workarounds exist; users must apply the official security updates provided by Apple.
## Detection
- **Indicators of Compromise**: Monitor for unexpected modifications (zeroing) of read-only system files or binaries.
- **Detection Methods**: Use file integrity monitoring (FIM) tools to detect unauthorized changes to critical system paths. Audit logs may show unusual `mlock` calls or memory mapping activity targeting sensitive system files.
## References
- **Apple Security Update**: hxxps[://]support[.]apple[.]com/en-us/HT212807
- **Project Zero Bug Tracker**: hxxps[://]bugs[.]chromium[.]org/p/project-zero/issues/detail?id=2211
- **NVD Entry**: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2021-30851