DB: 2017-08-27

1 new exploits

HP-UX 11i - (swpackage) Stack Overflow Privilege Escalation
HP-UX 11i - 'swpackage' Stack Overflow Privilege Escalation

Apple iOS <= 10.3.1 - Kernel Exploit

files.csv

@@ -6027,7 +6027,7 @@ id,file,description,date,author,platform,type,port
 2569,platforms/solaris/local/2569.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)",2006-10-16,"Marco Ivaldi",solaris,local,0
 2580,platforms/osx/local/2580.pl,"Xcode OpenBase 9.1.5 (OSX) - (root file create) Privilege Escalation",2006-10-16,"Kevin Finisterre",osx,local,0
 2581,platforms/linux/local/2581.c,"Nvidia Graphics Driver 8774 - Local Buffer Overflow",2006-10-16,"Rapid7 Security",linux,local,0
-2633,platforms/hp-ux/local/2633.c,"HP-UX 11i - (swpackage) Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
+2633,platforms/hp-ux/local/2633.c,"HP-UX 11i - 'swpackage' Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
 2634,platforms/hp-ux/local/2634.c,"HP-UX 11i - (swmodify) Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
 2635,platforms/hp-ux/local/2635.c,"HP-UX 11i - (swask) Format String Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
 2636,platforms/hp-ux/local/2636.c,"HP-UX 11i - 'LIBC TZ' Enviroment Variable Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
@@ -9116,6 +9116,7 @@ id,file,description,date,author,platform,type,port
 41710,platforms/windows/local/41710.rb,"HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)",2012-08-29,Metasploit,windows,local,0
 41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0
 41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0
+42555,platforms/ios/local/42555.txt,"Apple iOS <= 10.3.1 - Kernel Exploit",2017-08-26,"Zimperium zLabs Team",ios,local,0
 41887,platforms/windows/local/41887.txt,"VirusChaser 8.0 - Buffer Overflow (SEH)",2017-04-14,0x41Li,windows,local,0
 42305,platforms/linux/local/42305.txt,"NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Privilege Escalation",2017-07-10,"Paul Taylor",linux,local,0
 41886,platforms/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Privilege Escalation",2017-04-15,"Nassim Asrir",linux,local,0

platforms/ios/local/42555.txt

@@ -0,0 +1,38 @@
+Sources:
+https://github.com/doadam/ziVA
+https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/
+
+ziVA
+
+An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1
+
+More general information
+
+https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/
+
+https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/
+
+Offsets modifications for other iOS devices
+
+Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them).
+
+Sandbox escape
+
+Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak.
+
+Is it a Jailbreak?
+
+This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak.
+
+Is this going to be a jailbreak?
+
+Maybe, if someone wants to work on that
+
+Credits
+
+Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck).
+
+
+Proof of Concept:
+https://github.com/doadam/ziVA
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42555.zip