Posts

Showing posts from September, 2020

CVE-2020-9964 - An iOS infoleak

iOS 14 is now available to the public, and with it comes the iOS 14.0 security content update . One of the vulnerabilities you'll see listed is CVE-2020-9964, a vulnerability in IOSurfaceAccelerator, and my first infoleak :) Both myself (@Muirey03) and Mohamed Ghannam (@_simo36) are credited with the discovery of this vulnerability. I would not be at all surprised if I found out there were more people who knew about this. Apple describes the impact of this bug as "A local user may be able to read kernel memory" and refer to it as a "memory initialisation issue" in the description, so what is the bug? IOSurfaceAcceleratorClient::user_get_histogram IOSurfaceAcceleratorClient is the user client for the AppleM2ScalerCSCDriver IOService, and is one of the few user clients that can be opened from within the App Sandbox. We are interested in one particular external method on this user client, method 9, IOSurfaceAcceleratorClient::user_get_histogram . IOSurfaceAccelera...