iMessage Media Parser Zero-Click → CoreAudio RCE → PAC/RPAC → Kernel → Matumizi mabaya ya CryptoTokenKit

Reading time: 7 minutes

Ukurasa huu unatoa muhtasari wa uso wa shambulio wa kisasa kwenye iOS kupitia iOS zero-click na mnyororo wa udanganyifu wa mwisho-mwisho uliobainika ukitumia iMessage automatic media parsing ili kuathiri CoreAudio, kupitisha BlastDoor, kuzuia Pointer Authentication (PAC) kupitia njia ya RPAC, kuinua hadi kernel, na mwishowe kutumia CryptoTokenKit kwa matumizi ya vibaya ya funguo bila idhini.

Warning: Hili ni muhtasari wa kielimu kusaidia watetezi, watafiti, na timu nyekundu kuelewa mbinu. Usitumie kwa madhumuni ya kushambulia.

Muhtasari wa mnyororo

• Delivery vector: kiambatisho chenye madhara cha audio (mfano, .amr / MP4 AAC) kilichotumwa kupitia iMessage/SMS.
• Auto-ingestion: iOS hu-parse moja kwa moja media kwa previews na conversions bila mwingiliano wa mtumiaji.
• Parser bug: muundo uliokatika unagonga CoreAudio’s AudioConverterService na kuharibu heap memory.
• Code exec in media context: RCE ndani ya mchakato wa parsing wa media; imeripotiwa kupitisha isolation ya BlastDoor katika njia maalum (mfano, “known sender” framing path).
• PAC/RPAC bypass: mara tu R/W isiyotengwa inafikiwa, PAC bypass katika njia ya RPAC inaruhusu control flow thabiti chini ya arm64e PAC.
• Kernel escalation: mnyororo hubadilisha userland exec kuwa kernel exec (mfano, kupitia wireless/AppleBCMWLAN code paths na AMPDU handling kama inavyoonekana katika logs chini).
• Post-exploitation: kwa kuwa na kernel, tumia CryptoTokenKit kufanya signing kwa funguo zilizo supported na Secure Enclave, kusoma njia za data nyeti (Keychain contexts), kuingilia kati messages/2FA, kuruhusu vitendo kimya kimya, na kuwezesha ufuatiliaji wa siri (mic/camera/GPS) bila prompts.

iMessage/BlastDoor attack surface notes

BlastDoor ni service iliyoimarishwa iliyoundwa kuchakata maudhui ya ujumbe yasiyotegemewa. Hata hivyo, logs zilizobainika zinaonyesha njia ambapo kinga zinaweza kupitishwa wakati ujumbe umetangazwa kutoka kwa “known sender” na wakati vichujio vingine (mfano, Blackhole) vinaporuhusiwa zaidi:

IDSDaemon    BlastDoor: Disabled for framing messages
SpamFilter   Blackhole disabled; user has disabled filtering unknown senders.

Hitimisho:

• Uchambuzi wa moja kwa moja bado unaonyesha uso wa shambulio wa mbali, zero-click.
• Maamuzi ya sera/muktadha (mwandishi anayejulikana, hali ya uchujaji) yanaweza kubadilisha kwa kiasi kikubwa utenganishaji wa vitendo.

CoreAudio: AudioConverterService uvunjaji wa heap (userland RCE)

Sehemu iliyokumbwa:

• CoreAudio → AudioConverterService → AAC/AMR/MP4 uchambuzi na mtiririko wa uongofu

Mahali parser ilivyoguswa (logs):

AudioConverterService    ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39

Technique summary:

• Malformed container/codec metadata (e.g., invalid/short/NULL magic cookie) causes a memory corruption during decode setup.
• Triggers in the iMessage media conversion path without taps by the user.
• Yields code execution in the media parsing process. The write-up claims this escapes BlastDoor in the observed delivery path, enabling the next stage.

Practical tips:

• Fuzz AAC/AMR magic cookie and MP4 codec atoms when targeting AudioConverterService conversions.
• Lenga heap overflows/underflows, OOB reads/writes, and size/length confusion around decoder initialization.

PAC bypass via RPAC path (CVE-2025-31201)

arm64e Pointer Authentication (PAC) impedes hijacking of return addresses and function pointers. The chain reports defeating PAC using an RPAC path once arbitrary read/write is available.

Key idea:

• With arbitrary R/W, attackers can craft valid, re-signed pointers or pivot execution to PAC-tolerant paths. The so-called “RPAC path” enables control-flow under PAC constraints, turning a userland RCE into a reliable kernel exploit setup.

Notes for researchers:

• Collect info leaks to defeat KASLR and stabilize ROP/JOP chains even under PAC.
• Target callsites that generate or authenticate PAC in controllable ways (e.g., signatures generated on attacker-controlled values, predictable context keys, or gadget sequences that re-sign pointers).
• Expect Apple hardening variance by SoC/OS; reliability hinges on leaks, entropy, and robust primitives.

Kernel escalation: wireless/AMPDU path example

In the observed chain, once in userland with memory corruption and a PAC bypass primitive, kernel control was achieved via code paths in the Wi‑Fi stack (AppleBCMWLAN) under malformed AMPDU handling. Example logs:

IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 14
IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 13

Mbinu ya jumla:

• Tumia userland primitives kujenga kernel R/W au controlled call paths.
• Dhalilisha reachable kernel surfaces (IOKit, networking/AMPDU, media shared memory, Mach interfaces) ili kupata kernel PC control au arbitrary memory.
• Imarisha kwa kujenga read/write primitives na kudhibiti vikwazo vya PPL/SPTM pale vinapofaa.

Post-exploitation: CryptoTokenKit and identity/signing abuse

Mara kernel inapovamiwa, processes kama identityservicesd zinaweza kuigizwa na vitendo vya cryptographic vyenye ruhusa vinaweza kuitwa kupitia CryptoTokenKit bila maombi kutoka kwa mtumiaji. Mfano za logi:

CryptoTokenKit    operation:2 algo:algid:sign:ECDSA:digest-X962:SHA256
CryptoTokenKit    <sepk:p256(d) kid=9a86778f7163e305> parsed for identityservicesd

Impact:

• Tumia Secure Enclave–backed keys kwa kusaini bila idhini (tokens, messages, payments), ukivunja modeli za uaminifu hata kama keys hazijatolewa.
• Kukamata 2FA codes/messages kwa utulivu; kuruhusu malipo/hamisho; kuwezesha mic/camera/GPS za kificho.

Defensive angle:

• Chukulia post-kernel integrity breaks kama tukio la hatari: enforce runtime attestation kwa CTK consumers; punguza ambient authority; thibitisha entitlements wakati wa matumizi.

Reproduction and telemetry hints (lab only)

• Delivery: tuma crafted AMR/MP4-AAC audio kwa kifaa lengwa kupitia iMessage/SMS.
• Angalia telemetry kwa mistari ya log iliyotajwa hapo juu kuhusu parsing na reactions za wireless stack.
• Hakikisha vifaa vimepachikwa kabisa; jaribu tu katika maabara zilizoitengwa.

Mitigations and hardening ideas

• Patch level: iOS 18.4.1 reportedly fixes this chain; weka vifaa vikiendelea kuwa updated.
• Parser hardening: uthibitisho mkali wa codec cookies/atoms na urefu; defensive decoding paths zenye bounds checks.
• iMessage isolation: epuka kupunguza BlastDoor/Blackhole katika muktadha wa “known sender” kwa media parsing.
• PAC hardening: punguza upatikanaji wa PAC-gadget; hakikisha signatures zimefungwa kwa contexts zisizotarajiwa; toa patterns za PAC-tolerant zinazoweza kupitishwa.
• CryptoTokenKit: hitaji post-kernel attestation na entitlements imara wakati wa call-time kwa operesheni zilizo key-bound.
• Kernel surfaces: imarisha wireless AMPDU/status handling; punguza inputs zinazoendeshwa na attacker kutoka userland baada ya compromise.

Affected versions (as reported)

• iOS 18.x prior to iOS 18.4.1 (April 16, 2025).
• Primary: CoreAudio → AudioConverterService (media auto-parsing path via iMessage/SMS).
• Chained: PAC/RPAC path and kernel escalation via AppleBCMWLAN AMPDU handling.

References

• iOS Crypto Heist repo (README)
• Remote Crypto Attack Chain details